Linux wireless drivers development
 help / color / mirror / Atom feed
From: Zhao Li <enderaoelyther@gmail.com>
To: Johannes Berg <johannes@sipsolutions.net>
Cc: linux-wireless@vger.kernel.org, linux-kernel@vger.kernel.org
Subject: Re: [PATCH 1/3] wifi: cfg80211: validate rx/tx MLME callback frame lengths before access
Date: Tue,  7 Jul 2026 10:52:41 +0800	[thread overview]
Message-ID: <20260707025241.22223-1-enderaoelyther@gmail.com> (raw)
In-Reply-To: <488ed9862d5196b8f5ecf23f037fa6725fbe9a52.camel@sipsolutions.net>

On Mon, 2026-07-06 at 18:37 +0800, Johannes Berg wrote:
> > Side effects of this change:
> >  - The WARN_ON(len < 2) is replaced by a silent early return, since
> >    these cfg80211 callbacks can legitimately receive short frames from
> >    drivers.
>
> Can they? How?

You're right, that wording is wrong; no in-tree caller passes len < 2.
mac80211 gates every path well above that (ieee80211_rx_mgmt_auth() at
len < 24 + 6, ieee80211_rx_mgmt_deauth()/disassoc() at len < 24 + 2), and
the locally built deauth/disassoc frames are always full size.

The frames that do reach these callbacks undersized are short relative
to their subtype, not shorter than 2 bytes. mwifiex accepts a 4-address
ieee80211_hdr plus the 2-byte firmware length prefix. After it strips
the prefix and removes addr4, pkt_len can be exactly 24: a bare
3-address management header with no reason-code body.
WARN_ON(len < 2) does not fire on that, and cfg80211_process_deauth()
then reads u.deauth.reason_code as a two-byte access starting at offset
24, immediately past the 24-byte buffer.

So the len >= 2 check only guards the frame_control read; the per-subtype
offsetofend() checks are the actual fix. I'll drop the WARN rather than
keep it, because these are exported callbacks and a malformed frame from
a driver should be dropped silently instead of backtraced.

v2 rewrites the commit message to describe the mwifiex path instead of
the inaccurate "legitimately receive short frames" claim; no code change.

Thanks,
Zhao Li

  reply	other threads:[~2026-07-07  2:52 UTC|newest]

Thread overview: 11+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2026-06-12 18:50 [PATCH 1/3] wifi: cfg80211: validate rx/tx MLME callback frame lengths before access Zhao Li
2026-06-12 18:50 ` [PATCH 2/3] wifi: cfg80211: validate assoc response length before status and IE access Zhao Li
2026-07-06 10:39   ` Johannes Berg
2026-07-07  3:17     ` Zhao Li
2026-06-12 18:50 ` [PATCH 3/3] wifi: mac80211: validate deauth frame length before reason access Zhao Li
2026-07-06 10:37 ` [PATCH 1/3] wifi: cfg80211: validate rx/tx MLME callback frame lengths before access Johannes Berg
2026-07-07  2:52   ` Zhao Li [this message]
2026-07-07  7:21     ` Johannes Berg
2026-07-07  2:53   ` [PATCH v2 " Zhao Li
2026-07-07  2:53     ` [PATCH v2 2/3] wifi: cfg80211: validate assoc response length before status and IE access Zhao Li
2026-07-07  2:53     ` [PATCH v2 3/3] wifi: mac80211: validate deauth frame length before reason access Zhao Li

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=20260707025241.22223-1-enderaoelyther@gmail.com \
    --to=enderaoelyther@gmail.com \
    --cc=johannes@sipsolutions.net \
    --cc=linux-kernel@vger.kernel.org \
    --cc=linux-wireless@vger.kernel.org \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox