From: Zhao Li <enderaoelyther@gmail.com>
To: Johannes Berg <johannes@sipsolutions.net>
Cc: linux-wireless@vger.kernel.org, linux-kernel@vger.kernel.org
Subject: Re: [PATCH 2/3] wifi: cfg80211: validate assoc response length before status and IE access
Date: Tue, 7 Jul 2026 11:17:52 +0800 [thread overview]
Message-ID: <20260707031752.31318-1-enderaoelyther@gmail.com> (raw)
In-Reply-To: <c967e7897f421fde56ca4367c9e10d0c6d9f7ec4.camel@sipsolutions.net>
On Mon, 2026-07-06 at 12:39 +0200, Johannes Berg wrote:
> What makes you claim "unsafe"?
"Unsafe" as in accessed before data->len is validated against the
fixed-field layout, not as in known-exploitable on valid traffic. In
the original struct initialiser, unconditionally:
- .status = le16_to_cpu(mgmt->u.assoc_resp.status_code) reads two bytes
at offset 26, needing data->len >= 28;
- .resp_ie = mgmt->u.assoc_resp.variable points at offset 30 (non-S1G);
- .resp_ie_len = data->len - 30 is a size_t, so it underflows to near
SIZE_MAX when data->len < 30.
resp_ie/resp_ie_len are not a harmless local intermediate: they are
consumed by __cfg80211_connect_result() and nl80211_send_connect_result(),
including the kzalloc() sizing and the memcpy()/nla_put() of resp_ie_len
bytes. So the underflow can feed a later copy/nla_put length rather than
remaining a harmless local value.
The mac80211 caller is fine: ieee80211_rx_mgmt_assoc_resp() gates on
len < 24 + 6 (== offsetof(..., u.assoc_resp.variable)) first. The
mwifiex handoff to cfg80211_rx_assoc_resp() only checks that assoc_rsp_size
is non-zero.
For S1G the IE offset is 28, not 30; the old code filled the regular
assoc-response fields first and only patched resp_ie later once it saw
S1G. v2 makes both layouts explicit and validates data->len before
assigning the fields.
If "unsafe" is too loaded here, I can reword it to "unvalidated" or
"unchecked" in a v3.
Thanks,
Zhao Li
next prev parent reply other threads:[~2026-07-07 3:18 UTC|newest]
Thread overview: 11+ messages / expand[flat|nested] mbox.gz Atom feed top
2026-06-12 18:50 [PATCH 1/3] wifi: cfg80211: validate rx/tx MLME callback frame lengths before access Zhao Li
2026-06-12 18:50 ` [PATCH 2/3] wifi: cfg80211: validate assoc response length before status and IE access Zhao Li
2026-07-06 10:39 ` Johannes Berg
2026-07-07 3:17 ` Zhao Li [this message]
2026-06-12 18:50 ` [PATCH 3/3] wifi: mac80211: validate deauth frame length before reason access Zhao Li
2026-07-06 10:37 ` [PATCH 1/3] wifi: cfg80211: validate rx/tx MLME callback frame lengths before access Johannes Berg
2026-07-07 2:52 ` Zhao Li
2026-07-07 7:21 ` Johannes Berg
2026-07-07 2:53 ` [PATCH v2 " Zhao Li
2026-07-07 2:53 ` [PATCH v2 2/3] wifi: cfg80211: validate assoc response length before status and IE access Zhao Li
2026-07-07 2:53 ` [PATCH v2 3/3] wifi: mac80211: validate deauth frame length before reason access Zhao Li
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20260707031752.31318-1-enderaoelyther@gmail.com \
--to=enderaoelyther@gmail.com \
--cc=johannes@sipsolutions.net \
--cc=linux-kernel@vger.kernel.org \
--cc=linux-wireless@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox