From: Dan Carpenter <error27@gmail.com>
To: Ahmad Masri <quic_amasri@quicinc.com>
Cc: Jeff Johnson <jeff.johnson@oss.qualcomm.com>,
Johannes Berg <johannes.berg@intel.com>,
Sumanth Gavini <sumanth.gavini@yahoo.com>,
Miri Korenblit <miriam.rachel.korenblit@intel.com>,
Kalle Valo <kvalo@kernel.org>, Maya Erez <quic_merez@quicinc.com>,
linux-wireless@vger.kernel.org, linux-kernel@vger.kernel.org,
kernel-janitors@vger.kernel.org
Subject: [PATCH] wifi: wil6210: wmi: prevent underflow in wmi_evt_auth_status()
Date: Mon, 20 Apr 2026 18:18:58 +0300 [thread overview]
Message-ID: <aeZD4hGhsrsSJczJ@stanley.mountain> (raw)
The problem is this condition:
if (ie_len < auth_ie_offset) {
The test is supposed to ensure that "d" is large enough to hold a struct
wmi_ft_auth_status_event and 3 additional u16 values. The "ie_len"
variable can be negative but, because "auth_ie_offset" is type size_t,
then negatives are type promoted to high positive values and treated as
success. The effect of this bug is that when we do:
d_len = le16_to_cpu(data->ie_len);
then we may be beyond the end of the "d" / "data" buffer. Fortunately,
on the next line:
if (d_len != ie_len) {
the contition will be false so the negative effects of this bug are
quite limited.
Fix this bug by changing the type of "auth_ie_offset" to int.
Fixes: b9010f105f21 ("wil6210: add FT roam support for AP and station")
Cc: stable@vger.kernel.org
Signed-off-by: Dan Carpenter <error27@gmail.com>
---
drivers/net/wireless/ath/wil6210/wmi.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/drivers/net/wireless/ath/wil6210/wmi.c b/drivers/net/wireless/ath/wil6210/wmi.c
index 479b2418ca34..57e6a43a04cf 100644
--- a/drivers/net/wireless/ath/wil6210/wmi.c
+++ b/drivers/net/wireless/ath/wil6210/wmi.c
@@ -1629,7 +1629,7 @@ wmi_evt_auth_status(struct wil6210_vif *vif, int id, void *d, int len)
struct cfg80211_ft_event_params ft;
u16 d_len;
/* auth_alg(u16) + auth_transaction(u16) + status_code(u16) */
- const size_t auth_ie_offset = sizeof(u16) * 3;
+ const int auth_ie_offset = sizeof(u16) * 3;
struct auth_no_hdr *auth = (struct auth_no_hdr *)data->ie_info;
/* check the status */
--
2.53.0
reply other threads:[~2026-04-20 15:19 UTC|newest]
Thread overview: [no followups] expand[flat|nested] mbox.gz Atom feed
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=aeZD4hGhsrsSJczJ@stanley.mountain \
--to=error27@gmail.com \
--cc=jeff.johnson@oss.qualcomm.com \
--cc=johannes.berg@intel.com \
--cc=kernel-janitors@vger.kernel.org \
--cc=kvalo@kernel.org \
--cc=linux-kernel@vger.kernel.org \
--cc=linux-wireless@vger.kernel.org \
--cc=miriam.rachel.korenblit@intel.com \
--cc=quic_amasri@quicinc.com \
--cc=quic_merez@quicinc.com \
--cc=sumanth.gavini@yahoo.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox