From: Francesco Dolcini <francesco@dolcini.it>
To: Christopher Kleiner <chris@kleiner.pro>
Cc: briannorris@chromium.org, linux-wireless@vger.kernel.org,
francesco@dolcini.it, netdev@vger.kernel.org,
linux-kernel@vger.kernel.org
Subject: Re: [PATCH] wifi: mwifiex: validate HT/VHT element length before storing beacon IE pointers
Date: Fri, 17 Jul 2026 16:31:02 +0200 [thread overview]
Message-ID: <20260717143102.GA512678@francesco-nb> (raw)
In-Reply-To: <20260717000017.61415-1-chris@kleiner.pro>
On Thu, Jul 16, 2026 at 08:00:17PM -0400, Christopher Kleiner wrote:
> mwifiex_update_bss_desc_with_ie() stores raw pointers into the beacon
> buffer for the HT Capability, HT Operation, VHT Capability and VHT
> Operation elements without checking that the element is long enough to
> hold the corresponding fixed-size structure. The generic IE loop only
> guarantees that the declared element length fits inside the beacon
> buffer (bytes_left >= total_ie_len); it does not guarantee that
> element_len is large enough for the struct that later consumers copy.
>
> beacon_buf is a tight kmemdup() of the over-the-air IEs. When the
> association command is built, mwifiex_cmd_append_11n_tlv() /
> mwifiex_cmd_append_11ac_tlv() copy a fixed number of bytes from the
> stored pointers (sizeof(struct ieee80211_ht_cap) and friends). A
> malicious AP that emits a beacon or probe response ending in a
> truncated (e.g. zero-length) HT Capability element leaves bcn_ht_cap
> pointing near the end of the slab, and the subsequent copy reads out of
> bounds. The leaked bytes are placed into the association request
> transmitted back to the AP, disclosing adjacent slab memory; on
> CONFIG_KASAN / panic_on_oops kernels it is an out-of-bounds oops.
>
> Commit 685c9b7750bf ("mwifiex: Abort at too short BSS descriptor
> element") added such length checks for the FH/DS/CF/IBSS parameter sets
> and a few other elements, but did not cover the HT/VHT capability and
> operation elements. Validate element_len against the size of the
> structure that will be consumed, mirroring those existing checks.
>
> Fixes: 5e6e3a92b9a4 ("wireless: mwifiex: initial commit for Marvell mwifiex driver")
> Cc: stable@vger.kernel.org
> Signed-off-by: Christopher Kleiner <chris@kleiner.pro>
Duplicate? We already have this in review https://lore.kernel.org/all/20260709100800.7026-1-doruk@0sec.ai/
prev parent reply other threads:[~2026-07-17 14:31 UTC|newest]
Thread overview: 2+ messages / expand[flat|nested] mbox.gz Atom feed top
2026-07-17 0:00 [PATCH] wifi: mwifiex: validate HT/VHT element length before storing beacon IE pointers Christopher Kleiner
2026-07-17 14:31 ` Francesco Dolcini [this message]
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20260717143102.GA512678@francesco-nb \
--to=francesco@dolcini.it \
--cc=briannorris@chromium.org \
--cc=chris@kleiner.pro \
--cc=linux-kernel@vger.kernel.org \
--cc=linux-wireless@vger.kernel.org \
--cc=netdev@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox