[PATCH v2 6/6] wifi: mwifiex: fix OOB read from inflated TLV length in IBSS peer event

Next message: Tristan Madani: "[PATCH v2 2/3] wifi: carl9170: fix OOB read from off-by-two in TX status handler"
Previous message: Tristan Madani: "[PATCH v2 0/3] wifi: carl9170: fix buffer overflow and OOB reads in firmware response handling"
In reply to: Tristan Madani: "[PATCH v2 3/6] wifi: mwifiex: fix OOB read from firmware sta_count in station list response"
Next in thread: Tristan Madani: "[PATCH v2 5/6] wifi: mwifiex: fix OOB read from firmware intf_num in multichannel event"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

From: Tristan Madani

Date: Wed Apr 15 2026 - 18:27:23 EST

From: Tristan Madani <tristan@xxxxxxxxxxxxxxxxxxx>

The IBSS connected handler replaces the buffer-bounded evt_len with
the firmware-controlled TLV header length. An inflated value drives the
IE parsing loop past the event buffer into adjacent kernel heap memory.

Cap the TLV-derived length at the remaining event data size.

Fixes: 432da7d243da ("mwifiex: add HT aggregation support for adhoc mode")
Signed-off-by: Tristan Madani <tristan@xxxxxxxxxxxxxxxxxxx>
---
drivers/net/wireless/marvell/mwifiex/sta_event.c | 4 ++++
1 file changed, 4 insertions(+)

diff --git a/drivers/net/wireless/marvell/mwifiex/sta_event.c b/drivers/net/wireless/marvell/mwifiex/sta_event.c
index XXXXXXX..XXXXXXX 100644
--- a/drivers/net/wireless/marvell/mwifiex/sta_event.c
+++ b/drivers/net/wireless/marvell/mwifiex/sta_event.c
@@ -46,6 +46,10 @@ static int mwifiex_check_ibss_peer_capabilties(struct mwifiex_private *priv,
evt_len = le16_to_cpu(tlv_mgmt_frame->header.len);
curr += (sizeof(*tlv_mgmt_frame) + 12);
+ if (evt_len > event->len -
+ (curr - event->data))
+ evt_len = event->len -
+ (curr - event->data);
} else {
mwifiex_dbg(priv->adapter, MSG,