[PATCH] brcmfmac: validate bsscfg indices in IF events

Linux wireless drivers development
 help / color / mirror / Atom feed

* [PATCH] brcmfmac: validate bsscfg indices in IF events
@ 2026-03-23  7:45 Pengpeng Hou
  2026-03-28 19:32 ` Arend van Spriel
  0 siblings, 1 reply; 2+ messages in thread
From: Pengpeng Hou @ 2026-03-23  7:45 UTC (permalink / raw)
  To: arend.vanspriel
  Cc: johannes.berg, chi-hsien.lin, chung-hsien.hsu, linux-wireless,
	brcm80211, brcm80211-dev-list.pdl, linux-kernel, kees, pengpeng

brcmf_fweh_handle_if_event() validates the firmware-provided interface
index before it touches drvr->iflist[], but it still uses the raw
bsscfgidx field as an array index without a matching range check.

Reject IF events whose bsscfg index does not fit in drvr->iflist[]
before indexing the interface array.

Signed-off-by: Pengpeng Hou <pengpeng@iscas.ac.cn>
---
 drivers/net/wireless/broadcom/brcm80211/brcmfmac/fweh.c | 5 +++++
 1 file changed, 5 insertions(+)

diff --git a/drivers/net/wireless/broadcom/brcm80211/brcmfmac/fweh.c b/drivers/net/wireless/broadcom/brcm80211/brcmfmac/fweh.c
index 984886481f4e..1cff4ba76943 100644
--- a/drivers/net/wireless/broadcom/brcm80211/brcmfmac/fweh.c
+++ b/drivers/net/wireless/broadcom/brcm80211/brcmfmac/fweh.c
@@ -153,6 +153,11 @@ static void brcmf_fweh_handle_if_event(struct brcmf_pub *drvr,
 		bphy_err(drvr, "invalid interface index: %u\n", ifevent->ifidx);
 		return;
 	}
+	if (ifevent->bsscfgidx >= BRCMF_MAX_IFS) {
+		bphy_err(drvr, "invalid bsscfg index: %u\n",
+			 ifevent->bsscfgidx);
+		return;
+	}
 
 	ifp = drvr->iflist[ifevent->bsscfgidx];
 
-- 
2.50.1 (Apple Git-155)


^ permalink raw reply related	[flat|nested] 2+ messages in thread

* Re: [PATCH] brcmfmac: validate bsscfg indices in IF events
  2026-03-23  7:45 [PATCH] brcmfmac: validate bsscfg indices in IF events Pengpeng Hou
@ 2026-03-28 19:32 ` Arend van Spriel
  0 siblings, 0 replies; 2+ messages in thread
From: Arend van Spriel @ 2026-03-28 19:32 UTC (permalink / raw)
  To: Pengpeng Hou
  Cc: johannes.berg, chi-hsien.lin, chung-hsien.hsu, linux-wireless,
	brcm80211, brcm80211-dev-list.pdl, linux-kernel, kees

On 23/03/2026 08:45, Pengpeng Hou wrote:
> brcmf_fweh_handle_if_event() validates the firmware-provided interface
> index before it touches drvr->iflist[], but it still uses the raw
> bsscfgidx field as an array index without a matching range check.
> 
> Reject IF events whose bsscfg index does not fit in drvr->iflist[]
> before indexing the interface array.

Acked-by: Arend van Spriel <arend.vanspriel@broadcom.com>

> Signed-off-by: Pengpeng Hou <pengpeng@iscas.ac.cn>
> ---
>   drivers/net/wireless/broadcom/brcm80211/brcmfmac/fweh.c | 5 +++++
>   1 file changed, 5 insertions(+)

^ permalink raw reply	[flat|nested] 2+ messages in thread

end of thread, other threads:[~2026-03-28 19:32 UTC | newest]

Thread overview: 2+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2026-03-23  7:45 [PATCH] brcmfmac: validate bsscfg indices in IF events Pengpeng Hou
2026-03-28 19:32 ` Arend van Spriel

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox