From: Ping-Ke Shih <pkshih@realtek.com>
To: <linux-wireless@vger.kernel.org>
Subject: [PATCH rtw-next 11/14] wifi: rtw89: phy: check length before parsing PHY status IE
Date: Wed, 6 May 2026 21:09:57 +0800 [thread overview]
Message-ID: <20260506131000.1706298-12-pkshih@realtek.com> (raw)
In-Reply-To: <20260506131000.1706298-1-pkshih@realtek.com>
Hardware might report PHY status IE with unexpected length, and parser
might access out of range. Check the length ahead.
Signed-off-by: Ping-Ke Shih <pkshih@realtek.com>
---
drivers/net/wireless/realtek/rtw89/core.c | 4 +++-
1 file changed, 3 insertions(+), 1 deletion(-)
diff --git a/drivers/net/wireless/realtek/rtw89/core.c b/drivers/net/wireless/realtek/rtw89/core.c
index 7fa479ce52e2..7e1182a49942 100644
--- a/drivers/net/wireless/realtek/rtw89/core.c
+++ b/drivers/net/wireless/realtek/rtw89/core.c
@@ -2276,7 +2276,6 @@ static int rtw89_core_rx_parse_phy_sts(struct rtw89_dev *rtwdev,
const struct rtw89_phy_sts_iehdr *iehdr = pos;
ie_len = rtw89_core_get_phy_status_ie_len(rtwdev, iehdr);
- rtw89_core_process_phy_status_ie(rtwdev, iehdr, phy_ppdu);
pos += ie_len;
if (pos > end || ie_len == 0) {
/* clear pointers to prevent accessing out of IE */
@@ -2285,8 +2284,11 @@ static int rtw89_core_rx_parse_phy_sts(struct rtw89_dev *rtwdev,
rtw89_debug(rtwdev, RTW89_DBG_TXRX,
"phy status parse failed\n");
+
return -EINVAL;
}
+
+ rtw89_core_process_phy_status_ie(rtwdev, iehdr, phy_ppdu);
}
rtw89_chip_convert_rpl_to_rssi(rtwdev, phy_ppdu);
--
2.25.1
next prev parent reply other threads:[~2026-05-06 13:11 UTC|newest]
Thread overview: 15+ messages / expand[flat|nested] mbox.gz Atom feed top
2026-05-06 13:09 [PATCH rtw-next 00/14] wifi: rtw89: improve radiotap especially HE SIG-A/SIG-B Ping-Ke Shih
2026-05-06 13:09 ` [PATCH rtw-next 01/14] wifi: rtw89: add AMPDU to radiotap Ping-Ke Shih
2026-05-06 13:09 ` [PATCH rtw-next 02/14] wifi: rtw89: add VHT beamformed " Ping-Ke Shih
2026-05-06 13:09 ` [PATCH rtw-next 03/14] wifi: rtw89: SNIFFER_MODE bit along IEEE80211_CONF_MONITOR Ping-Ke Shih
2026-05-06 13:09 ` [PATCH rtw-next 04/14] wifi: rtw89: phy: define PHY status IE length for generations Ping-Ke Shih
2026-05-06 13:09 ` [PATCH rtw-next 05/14] wifi: rtw89: phy: enable IE-09/IE-10 PHY status report for monitor mode Ping-Ke Shih
2026-05-06 13:09 ` [PATCH rtw-next 06/14] wifi: rtw89: move HE radiotap to an individual function Ping-Ke Shih
2026-05-06 13:09 ` [PATCH rtw-next 07/14] wifi: rtw89: fill VHT radiotap Ping-Ke Shih
2026-05-06 13:09 ` [PATCH rtw-next 08/14] wifi: rtw89: fill HE-SU/HE-TB/HE-MU/HE-EXT_SU radiotap Ping-Ke Shih
2026-05-06 13:09 ` [PATCH rtw-next 09/14] wifi: rtw89: debug: make implementation of beacon_info entry in order Ping-Ke Shih
2026-05-06 13:09 ` [PATCH rtw-next 10/14] wifi: rtw89: add debugfs entry of monitor mode options to capture HE-MU packets Ping-Ke Shih
2026-05-06 13:09 ` Ping-Ke Shih [this message]
2026-05-06 13:09 ` [PATCH rtw-next 12/14] wifi: rtw89: phy: skip trailing 8-byte zeros of PHY status IE for RTL8922D Ping-Ke Shih
2026-05-06 13:09 ` [PATCH rtw-next 13/14] wifi: rtw89: phy: support PHY status IE-09 GEN2 " Ping-Ke Shih
2026-05-06 13:10 ` [PATCH rtw-next 14/14] wifi: rtw89: check skb headroom before adding radiotap Ping-Ke Shih
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20260506131000.1706298-12-pkshih@realtek.com \
--to=pkshih@realtek.com \
--cc=linux-wireless@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox