[PATCH] wifi: mwifiex: Fix use after free in mwifiex_11n_dispatch_amsdu

public inbox for linux-wireless@vger.kernel.org
 help / color / mirror / Atom feed

* [PATCH] wifi: mwifiex: Fix use after free in mwifiex_11n_dispatch_amsdu_pkt()
@ 2026-01-08 19:57 Dan Carpenter
  2026-01-08 21:01 ` Johannes Berg
  0 siblings, 1 reply; 2+ messages in thread
From: Dan Carpenter @ 2026-01-08 19:57 UTC (permalink / raw)
  To: Amitkumar Karwar
  Cc: Brian Norris, Francesco Dolcini, Kalle Valo, Cathy Luo,
	linux-wireless, linux-kernel, kernel-janitors

The ieee80211_amsdu_to_8023s() function generally frees the skb, so save
the skb->len first before it's freed.

Fixes: 776f742040ca ("mwifiex: fix AMPDU not setup on TDLS link problem")
Signed-off-by: Dan Carpenter <dan.carpenter@linaro.org>
---
 drivers/net/wireless/marvell/mwifiex/11n_rxreorder.c | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

diff --git a/drivers/net/wireless/marvell/mwifiex/11n_rxreorder.c b/drivers/net/wireless/marvell/mwifiex/11n_rxreorder.c
index 354c5ce66045..90831a1350f5 100644
--- a/drivers/net/wireless/marvell/mwifiex/11n_rxreorder.c
+++ b/drivers/net/wireless/marvell/mwifiex/11n_rxreorder.c
@@ -25,6 +25,7 @@ static int mwifiex_11n_dispatch_amsdu_pkt(struct mwifiex_private *priv,
 
 	if (le16_to_cpu(local_rx_pd->rx_pkt_type) == PKT_TYPE_AMSDU) {
 		struct sk_buff_head list;
+		int skb_len = skb->len;
 		struct sk_buff *rx_skb;
 
 		__skb_queue_head_init(&list);
@@ -44,7 +45,7 @@ static int mwifiex_11n_dispatch_amsdu_pkt(struct mwifiex_private *priv,
 			    ntohs(rx_hdr->eth803_hdr.h_proto) == ETH_P_TDLS) {
 				mwifiex_process_tdls_action_frame(priv,
 								  (u8 *)rx_hdr,
-								  skb->len);
+								  skb_len);
 			}
 
 			if (priv->bss_role == MWIFIEX_BSS_ROLE_UAP)
-- 
2.51.0


^ permalink raw reply related	[flat|nested] 2+ messages in thread

* Re: [PATCH] wifi: mwifiex: Fix use after free in mwifiex_11n_dispatch_amsdu_pkt()
  2026-01-08 19:57 [PATCH] wifi: mwifiex: Fix use after free in mwifiex_11n_dispatch_amsdu_pkt() Dan Carpenter
@ 2026-01-08 21:01 ` Johannes Berg
  0 siblings, 0 replies; 2+ messages in thread
From: Johannes Berg @ 2026-01-08 21:01 UTC (permalink / raw)
  To: Dan Carpenter, Amitkumar Karwar
  Cc: Brian Norris, Francesco Dolcini, Kalle Valo, Cathy Luo,
	linux-wireless, linux-kernel, kernel-janitors

On Thu, 2026-01-08 at 22:57 +0300, Dan Carpenter wrote:
> @@ -44,7 +45,7 @@ static int mwifiex_11n_dispatch_amsdu_pkt(struct mwifiex_private *priv,
>  			    ntohs(rx_hdr->eth803_hdr.h_proto) == ETH_P_TDLS) {
>  				mwifiex_process_tdls_action_frame(priv,
>  								  (u8 *)rx_hdr,
> -								  skb->len);
> +								  skb_len);

I'm 99% sure that should be rx_skb->len at this point, it can't want to
handle a single A-MSDU encapsulated action as if it was as long as the
entire A-MSDU that held it, that'd likely crash (too), especially if it
wasn't the first frame in it.

johannes

^ permalink raw reply	[flat|nested] 2+ messages in thread

end of thread, other threads:[~2026-01-08 21:01 UTC | newest]

Thread overview: 2+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2026-01-08 19:57 [PATCH] wifi: mwifiex: Fix use after free in mwifiex_11n_dispatch_amsdu_pkt() Dan Carpenter
2026-01-08 21:01 ` Johannes Berg

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox