[PATCH] wifi: cfg80211: don't allow negative key_len values

Linux wireless drivers development
 help / color / mirror / Atom feed

From: Dan Carpenter <error27@gmail.com>
To: Kalle Valo <kvalo@qca.qualcomm.com>
Cc: Johannes Berg <johannes@sipsolutions.net>,
	Raja Mani <rmani@qca.qualcomm.com>,
	Vasanthakumar Thiagarajan <vthiagar@qca.qualcomm.com>,
	Jouni Malinen <jouni@qca.qualcomm.com>,
	linux-wireless@vger.kernel.org, linux-kernel@vger.kernel.org,
	kernel-janitors@vger.kernel.org
Subject: [PATCH] wifi: cfg80211: don't allow negative key_len values
Date: Thu, 30 Apr 2026 09:15:48 +0300	[thread overview]
Message-ID: <afLzlDT5VF4D746w@stanley.mountain> (raw)

The ath6kl_cfg80211_add_key() function has an upper bounds check on
params->key_len which ensures that it can't go over WLAN_MAX_KEY_LEN but
it doesn't check for negatives.  This could potentially lead to memory
corruption.

Put a bounds check on negative values in cfg80211_validate_key_settings()
to prevent this sort of bug in the future.

Fixes: bdcd81707973 ("Add ath6kl cleaned up driver")
Cc: stable@vger.kernel.org
Signed-off-by: Dan Carpenter <error27@gmail.com>
---
This is from static analysis.  I can't think why a driver would ever
want a negative length and I think this is the safest solution.  But
I have not tested it.

 net/wireless/util.c | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/net/wireless/util.c b/net/wireless/util.c
index b78530c3e3f8..4552229eb2d2 100644
--- a/net/wireless/util.c
+++ b/net/wireless/util.c
@@ -397,6 +397,8 @@ int cfg80211_validate_key_settings(struct cfg80211_registered_device *rdev,
 		 * or not the driver supports this algorithm,
 		 * of course.
 		 */
+		if (params->key_len < 0)
+			return -EINVAL;
 		break;
 	}
 
-- 
2.53.0

next             reply	other threads:[~2026-04-30  6:15 UTC|newest]

Thread overview: 3+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2026-04-30  6:15 Dan Carpenter [this message]
2026-04-30  7:05 ` [PATCH] wifi: cfg80211: don't allow negative key_len values Johannes Berg
2026-04-30  7:52   ` Dan Carpenter

find likely ancestor, descendant, or conflicting patches for this message:
( dfblob:b78530c3e3f dfblob:4552229eb2d )
 OR (
bs:"[PATCH] wifi: cfg80211: don't allow negative key_len values" )
	(help)

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=afLzlDT5VF4D746w@stanley.mountain \
    --to=error27@gmail.com \
    --cc=johannes@sipsolutions.net \
    --cc=jouni@qca.qualcomm.com \
    --cc=kernel-janitors@vger.kernel.org \
    --cc=kvalo@qca.qualcomm.com \
    --cc=linux-kernel@vger.kernel.org \
    --cc=linux-wireless@vger.kernel.org \
    --cc=rmani@qca.qualcomm.com \
    --cc=vthiagar@qca.qualcomm.com \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox