From: Zhao Li <enderaoelyther@gmail.com>
To: Johannes Berg <johannes@sipsolutions.net>
Cc: linux-wireless@vger.kernel.org, linux-kernel@vger.kernel.org
Subject: Re: [PATCH 1/3] wifi: cfg80211: validate rx/tx MLME callback frame lengths before access
Date: Tue, 7 Jul 2026 10:52:41 +0800 [thread overview]
Message-ID: <20260707025241.22223-1-enderaoelyther@gmail.com> (raw)
In-Reply-To: <488ed9862d5196b8f5ecf23f037fa6725fbe9a52.camel@sipsolutions.net>
On Mon, 2026-07-06 at 18:37 +0800, Johannes Berg wrote:
> > Side effects of this change:
> > - The WARN_ON(len < 2) is replaced by a silent early return, since
> > these cfg80211 callbacks can legitimately receive short frames from
> > drivers.
>
> Can they? How?
You're right, that wording is wrong; no in-tree caller passes len < 2.
mac80211 gates every path well above that (ieee80211_rx_mgmt_auth() at
len < 24 + 6, ieee80211_rx_mgmt_deauth()/disassoc() at len < 24 + 2), and
the locally built deauth/disassoc frames are always full size.
The frames that do reach these callbacks undersized are short relative
to their subtype, not shorter than 2 bytes. mwifiex accepts a 4-address
ieee80211_hdr plus the 2-byte firmware length prefix. After it strips
the prefix and removes addr4, pkt_len can be exactly 24: a bare
3-address management header with no reason-code body.
WARN_ON(len < 2) does not fire on that, and cfg80211_process_deauth()
then reads u.deauth.reason_code as a two-byte access starting at offset
24, immediately past the 24-byte buffer.
So the len >= 2 check only guards the frame_control read; the per-subtype
offsetofend() checks are the actual fix. I'll drop the WARN rather than
keep it, because these are exported callbacks and a malformed frame from
a driver should be dropped silently instead of backtraced.
v2 rewrites the commit message to describe the mwifiex path instead of
the inaccurate "legitimately receive short frames" claim; no code change.
Thanks,
Zhao Li
next prev parent reply other threads:[~2026-07-07 2:52 UTC|newest]
Thread overview: 11+ messages / expand[flat|nested] mbox.gz Atom feed top
2026-06-12 18:50 [PATCH 1/3] wifi: cfg80211: validate rx/tx MLME callback frame lengths before access Zhao Li
2026-06-12 18:50 ` [PATCH 2/3] wifi: cfg80211: validate assoc response length before status and IE access Zhao Li
2026-07-06 10:39 ` Johannes Berg
2026-07-07 3:17 ` Zhao Li
2026-06-12 18:50 ` [PATCH 3/3] wifi: mac80211: validate deauth frame length before reason access Zhao Li
2026-07-06 10:37 ` [PATCH 1/3] wifi: cfg80211: validate rx/tx MLME callback frame lengths before access Johannes Berg
2026-07-07 2:52 ` Zhao Li [this message]
2026-07-07 7:21 ` Johannes Berg
2026-07-07 2:53 ` [PATCH v2 " Zhao Li
2026-07-07 2:53 ` [PATCH v2 2/3] wifi: cfg80211: validate assoc response length before status and IE access Zhao Li
2026-07-07 2:53 ` [PATCH v2 3/3] wifi: mac80211: validate deauth frame length before reason access Zhao Li
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20260707025241.22223-1-enderaoelyther@gmail.com \
--to=enderaoelyther@gmail.com \
--cc=johannes@sipsolutions.net \
--cc=linux-kernel@vger.kernel.org \
--cc=linux-wireless@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox