[PATCH v2 2/2] wifi: b43: fix OOB read from hardware key index in b43_rx()
From: Tristan Madani
Date: Wed Apr 15 2026 - 18:27:56 EST
From: Tristan Madani <tristan@xxxxxxxxxxxxxxxxxxx>
The firmware-controlled key index in b43_rx() can exceed the dev->key[]
array size (58 entries). The existing B43_WARN_ON is non-enforcing in
production builds, allowing an out-of-bounds read of 1 byte from struct
b43_firmware. A non-zero OOB value causes RX_FLAG_DECRYPTED to be
incorrectly set on un-decrypted frames.
Replace with an enforcing check that skips the key lookup for invalid
indices.
Fixes: e4d6b7951812 ("[B43]: add mac80211-based driver for modern BCM43xx devices")
Signed-off-by: Tristan Madani <tristan@xxxxxxxxxxxxxxxxxxx>
---
drivers/net/wireless/broadcom/b43/xmit.c | 5 ++++-
1 file changed, 4 insertions(+), 1 deletion(-)
diff --git a/drivers/net/wireless/broadcom/b43/xmit.c b/drivers/net/wireless/broadcom/b43/xmit.c
index XXXXXXX..XXXXXXX 100644
--- a/drivers/net/wireless/broadcom/b43/xmit.c
+++ b/drivers/net/wireless/broadcom/b43/xmit.c
@@ -704,7 +704,10 @@ void b43_rx(struct b43_wldev *dev, struct sk_buff *skb, const void *_rxhdr)
*/
keyidx = b43_kidx_to_raw(dev, keyidx);
- B43_WARN_ON(keyidx >= ARRAY_SIZE(dev->key));
+ if (keyidx >= ARRAY_SIZE(dev->key)) {
+ b43dbg(dev->wl, "RX: invalid key index %u\n", keyidx);
+ goto drop;
+ }
if (dev->key[keyidx].algorithm != B43_SEC_ALGO_NONE) {
wlhdr_len = ieee80211_hdrlen(fctl);