[PATCH v2 3/3] wifi: wl18xx: fix OOB read from firmware SSID/password lengths in smart config event

Next message: Tristan Madani: "[PATCH v2 0/2] wifi: b43: fix OOB read and infinite loop from hardware-reported values"
Previous message: Viacheslav Dubeyko: "Re: [PATCH] hfsplus: Add a sanity check for catalog btree node size"
In reply to: Tristan Madani: "[PATCH v2 1/3] wifi: wl18xx: fix OOB read from firmware rx_ba_link_id in BA event handler"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

From: Tristan Madani

Date: Wed Apr 15 2026 - 18:33:29 EST

From: Tristan Madani <tristan@xxxxxxxxxxxxxxxxxxx>

The firmware-controlled sc_ssid_len and sc_pwd_len values are used as
nla_put sizes from fixed-size mailbox buffers (32 and 64 bytes) without
bounds checking. Values exceeding the buffer sizes cause out-of-bounds
reads delivered to userspace via nl80211 vendor events.

Clamp the lengths to the mailbox buffer sizes before use.

Fixes: e93e15fb47e5 ("wlcore/wl18xx: handle smart config events")
Signed-off-by: Tristan Madani <tristan@xxxxxxxxxxxxxxxxxxx>
---
drivers/net/wireless/ti/wl18xx/event.c | 3 +++
1 file changed, 3 insertions(+)

diff --git a/drivers/net/wireless/ti/wl18xx/event.c b/drivers/net/wireless/ti/wl18xx/event.c
index XXXXXXX..XXXXXXX 100644
--- a/drivers/net/wireless/ti/wl18xx/event.c
+++ b/drivers/net/wireless/ti/wl18xx/event.c
@@ -82,6 +82,9 @@ static int wlcore_smart_config_decode_event(struct wl1271 *wl,
{
struct sk_buff *skb;

+ ssid_len = min_t(u8, ssid_len, 32);
+ pwd_len = min_t(u8, pwd_len, 64);
+
wl1271_debug(DEBUG_EVENT, "SMART_CONFIG_DECODE_EVENT_ID");
wl1271_dump_ascii(DEBUG_EVENT, "SSID:", ssid, ssid_len);