Linux wireless drivers development
 help / color / mirror / Atom feed
From: Zhao Li <enderaoelyther@gmail.com>
To: Johannes Berg <johannes@sipsolutions.net>
Cc: linux-wireless@vger.kernel.org, linux-kernel@vger.kernel.org
Subject: Re: [PATCH 2/3] wifi: cfg80211: validate assoc response length before status and IE access
Date: Tue,  7 Jul 2026 11:17:52 +0800	[thread overview]
Message-ID: <20260707031752.31318-1-enderaoelyther@gmail.com> (raw)
In-Reply-To: <c967e7897f421fde56ca4367c9e10d0c6d9f7ec4.camel@sipsolutions.net>

On Mon, 2026-07-06 at 12:39 +0200, Johannes Berg wrote:
> What makes you claim "unsafe"?

"Unsafe" as in accessed before data->len is validated against the
fixed-field layout, not as in known-exploitable on valid traffic. In
the original struct initialiser, unconditionally:

 - .status = le16_to_cpu(mgmt->u.assoc_resp.status_code) reads two bytes
   at offset 26, needing data->len >= 28;
 - .resp_ie = mgmt->u.assoc_resp.variable points at offset 30 (non-S1G);
 - .resp_ie_len = data->len - 30 is a size_t, so it underflows to near
   SIZE_MAX when data->len < 30.

resp_ie/resp_ie_len are not a harmless local intermediate: they are
consumed by __cfg80211_connect_result() and nl80211_send_connect_result(),
including the kzalloc() sizing and the memcpy()/nla_put() of resp_ie_len
bytes. So the underflow can feed a later copy/nla_put length rather than
remaining a harmless local value.

The mac80211 caller is fine: ieee80211_rx_mgmt_assoc_resp() gates on
len < 24 + 6 (== offsetof(..., u.assoc_resp.variable)) first. The
mwifiex handoff to cfg80211_rx_assoc_resp() only checks that assoc_rsp_size
is non-zero.

For S1G the IE offset is 28, not 30; the old code filled the regular
assoc-response fields first and only patched resp_ie later once it saw
S1G. v2 makes both layouts explicit and validates data->len before
assigning the fields.

If "unsafe" is too loaded here, I can reword it to "unvalidated" or
"unchecked" in a v3.

Thanks,
Zhao Li

  reply	other threads:[~2026-07-07  3:18 UTC|newest]

Thread overview: 11+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2026-06-12 18:50 [PATCH 1/3] wifi: cfg80211: validate rx/tx MLME callback frame lengths before access Zhao Li
2026-06-12 18:50 ` [PATCH 2/3] wifi: cfg80211: validate assoc response length before status and IE access Zhao Li
2026-07-06 10:39   ` Johannes Berg
2026-07-07  3:17     ` Zhao Li [this message]
2026-06-12 18:50 ` [PATCH 3/3] wifi: mac80211: validate deauth frame length before reason access Zhao Li
2026-07-06 10:37 ` [PATCH 1/3] wifi: cfg80211: validate rx/tx MLME callback frame lengths before access Johannes Berg
2026-07-07  2:52   ` Zhao Li
2026-07-07  7:21     ` Johannes Berg
2026-07-07  2:53   ` [PATCH v2 " Zhao Li
2026-07-07  2:53     ` [PATCH v2 2/3] wifi: cfg80211: validate assoc response length before status and IE access Zhao Li
2026-07-07  2:53     ` [PATCH v2 3/3] wifi: mac80211: validate deauth frame length before reason access Zhao Li

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=20260707031752.31318-1-enderaoelyther@gmail.com \
    --to=enderaoelyther@gmail.com \
    --cc=johannes@sipsolutions.net \
    --cc=linux-kernel@vger.kernel.org \
    --cc=linux-wireless@vger.kernel.org \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox