From mboxrd@z Thu Jan 1 00:00:00 1970 Received: from mail-wr1-f54.google.com (mail-wr1-f54.google.com [209.85.221.54]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id 3A30F1A9F97 for ; Mon, 20 Apr 2026 15:19:12 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=209.85.221.54 ARC-Seal:i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1776698355; cv=none; b=u4/lZiuHXIKBuj+dBYwirx8SMl7hXaNHK+EWO6w5iiK6VzltBpEA6iGF7klyhSWelaGmBN6VgUnCQZlrFS2nMvy7r7FSFnBo9OIqDyjzkdZdBShQq1qlE3zBoTSaxIKCFjKZ6Kj6NTpQ86rs8zOK0dkD1tVf3PvbPzFe48NKS2U= ARC-Message-Signature:i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1776698355; c=relaxed/simple; bh=1RIbNCwAwPZ+tO6yRtl9kZg4OcH4KIufSEgKwjXtJas=; h=Date:From:To:Cc:Subject:Message-ID:MIME-Version:Content-Type: Content-Disposition; b=fTThE8r/nhtBcx68wOGyz4BA7b8iFTzVAvhFoRZK4K2kjFz6bK3XA9jUTGbeMaAvHhXA2ieHaoG7qsdnYCAtc/kKs4CL5mXa+aLvT9Ostt20bDdXzz2vLWbka78anh+27IkAANjgMp5GP/0uqWOB//yP4raWbhSy12b55IAMIEg= ARC-Authentication-Results:i=1; smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=gmail.com; spf=pass smtp.mailfrom=gmail.com; dkim=pass (2048-bit key) header.d=gmail.com header.i=@gmail.com header.b=N4GI57oQ; arc=none smtp.client-ip=209.85.221.54 Authentication-Results: smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=gmail.com Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=gmail.com Authentication-Results: smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=gmail.com header.i=@gmail.com header.b="N4GI57oQ" Received: by mail-wr1-f54.google.com with SMTP id ffacd0b85a97d-43eada6d900so3197535f8f.0 for ; Mon, 20 Apr 2026 08:19:12 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20251104; t=1776698351; x=1777303151; darn=vger.kernel.org; h=content-disposition:mime-version:message-id:subject:cc:to:from:date :from:to:cc:subject:date:message-id:reply-to; bh=n3FD/s7AW/AHmwjCwKG79GXRWosFi6qB1cnUUHCz7DA=; b=N4GI57oQ04uNRA3ZJs9n1vawtacpjFGw7guLW337vUk7gecjBFmMJhZk2i6WzrsWh9 Wz5q/VQb8C/xoJStA4dXFPHVbMdrQ18FkSbCpOuGapNbk4v6aXQWlABmlkeNziS2NK3S eSsnf0hSp1rGVLUgrwOCbN4V9SyepGekBScHUAeOdKRpgatz+QIt82DHHiPhYTL6rw2o QAy0Q96UtjHUtl01oJ3ttWVJK5ckn+njLs1xsnd4xMhwEMD5tLJvYpUP6ZODJ/b9gJEi UsAynPizdQXeAFerf18/qb9I3P/g8LuLs2tyIgD6Bm2WiuivcqN2RNQBjKKX/PyxOomg j/sw== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20251104; t=1776698351; x=1777303151; h=content-disposition:mime-version:message-id:subject:cc:to:from:date :x-gm-gg:x-gm-message-state:from:to:cc:subject:date:message-id :reply-to; bh=n3FD/s7AW/AHmwjCwKG79GXRWosFi6qB1cnUUHCz7DA=; b=CgGtLDUn46Cg6LfYEt2Yey/+rQNExIMJgF4kjD5Cr9lHQJ8hl1dUBsujvXeDPP5FJs QUpJ7yCEr/8JggTSZMO2QyXWBCkSDFSUXFEP+FWIYf8ErkJCwZGkz0ggMEvBPABOZx6Z AXsL6k3ZL/nmpNetvLQ5UcUrnnLjpyuVCFc0FPrvRUPj60TwTlGn/6wlTk+hiAWwF69E mvqzOHba8DrTzqbQc9DUqhZXTya2CfAadtyqn8OYHRqfIkh5WJbw1bJgwNP/+Qof1Wr8 2XXmwiELvVuuRhZCwsj/LbBmu/QcQUlSdcEZLm1SSqcZba/o1GZKcXtcF7K2gyl7A4MI Xn/w== X-Forwarded-Encrypted: i=1; AFNElJ+JNq75ADYi70/HMbQkUMrt5k6P6a7qoTVvNZlHAD1FjY+i+Rpe3I5Gq5bIbFU9X2zsm+shB6ytPKRr/Ik=@vger.kernel.org X-Gm-Message-State: AOJu0Yyt6SAQS7VWKCKqI4WSbsQ0kQAtU9UasAj2kyKe088kKCJIZiRO 80Bn3A477nYwLe1qphmJsDCUBDPrTi2NxzQn/xdvHdQlZneS17mc34ZM X-Gm-Gg: AeBDieugDh4fKnq6bl1dggCcyq+ApPdJVw6pIMSvppR6fYD5EN0TOvMcRsOJLC6bjRR eT77vsYf19uDG2g+SsqXyg/g3lYoSbJVEEeHt24Nwig6fQWxinoi5EC7paapWwj/QkQZHZalzAz 6QaaufzIRL9s9Jw6msM2BxcQcbp6d8agSL4FjPC+3DFfrobUqpdFH5je2slGRIim2908Iufg+vc buwCn5w5QJ4dE+iZex5xvXFsDQUL20rEQuzdftry4l8STce3D9QpsIGa0q3fVBCQj7CYhmM3qZa BADRs5+42FllhWNL70tOWP2S/7PUoqsOy3CzPpJMsrMge3mIyC7u5duzwYNz+ZNfH6sqcD5ArUo qp+ccR/YWt7F27ePBi0L8K8v+qNHf7xiZMDIUJj1ha6oXaWCF+r6NVLmATJfk0mjVQpul0/GJEF XG/NgzGGbjUh6A6uIy2YtfzQDFi/WHkQ== X-Received: by 2002:a5d:64e6:0:b0:43d:26a2:f8c3 with SMTP id ffacd0b85a97d-43fe3e14047mr22847771f8f.35.1776698351391; Mon, 20 Apr 2026 08:19:11 -0700 (PDT) Received: from localhost ([196.207.164.177]) by smtp.gmail.com with ESMTPSA id ffacd0b85a97d-43fe4e3a174sm33822216f8f.18.2026.04.20.08.19.04 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Mon, 20 Apr 2026 08:19:05 -0700 (PDT) Date: Mon, 20 Apr 2026 18:18:58 +0300 From: Dan Carpenter To: Ahmad Masri Cc: Jeff Johnson , Johannes Berg , Sumanth Gavini , Miri Korenblit , Kalle Valo , Maya Erez , linux-wireless@vger.kernel.org, linux-kernel@vger.kernel.org, kernel-janitors@vger.kernel.org Subject: [PATCH] wifi: wil6210: wmi: prevent underflow in wmi_evt_auth_status() Message-ID: Precedence: bulk X-Mailing-List: linux-kernel@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline X-Mailer: git-send-email haha only kidding The problem is this condition: if (ie_len < auth_ie_offset) { The test is supposed to ensure that "d" is large enough to hold a struct wmi_ft_auth_status_event and 3 additional u16 values. The "ie_len" variable can be negative but, because "auth_ie_offset" is type size_t, then negatives are type promoted to high positive values and treated as success. The effect of this bug is that when we do: d_len = le16_to_cpu(data->ie_len); then we may be beyond the end of the "d" / "data" buffer. Fortunately, on the next line: if (d_len != ie_len) { the contition will be false so the negative effects of this bug are quite limited. Fix this bug by changing the type of "auth_ie_offset" to int. Fixes: b9010f105f21 ("wil6210: add FT roam support for AP and station") Cc: stable@vger.kernel.org Signed-off-by: Dan Carpenter --- drivers/net/wireless/ath/wil6210/wmi.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/drivers/net/wireless/ath/wil6210/wmi.c b/drivers/net/wireless/ath/wil6210/wmi.c index 479b2418ca34..57e6a43a04cf 100644 --- a/drivers/net/wireless/ath/wil6210/wmi.c +++ b/drivers/net/wireless/ath/wil6210/wmi.c @@ -1629,7 +1629,7 @@ wmi_evt_auth_status(struct wil6210_vif *vif, int id, void *d, int len) struct cfg80211_ft_event_params ft; u16 d_len; /* auth_alg(u16) + auth_transaction(u16) + status_code(u16) */ - const size_t auth_ie_offset = sizeof(u16) * 3; + const int auth_ie_offset = sizeof(u16) * 3; struct auth_no_hdr *auth = (struct auth_no_hdr *)data->ie_info; /* check the status */ -- 2.53.0