[PATCH AUTOSEL 6.18] wifi: brcmfmac: validate bsscfg indices in IF events
From: Sasha Levin
Date: Mon Apr 20 2026 - 10:20:12 EST
From: Pengpeng Hou <pengpeng@xxxxxxxxxxx>
[ Upstream commit 304950a467d83678bd0b0f46331882e2ac23b12d ]
brcmf_fweh_handle_if_event() validates the firmware-provided interface
index before it touches drvr->iflist[], but it still uses the raw
bsscfgidx field as an array index without a matching range check.
Reject IF events whose bsscfg index does not fit in drvr->iflist[]
before indexing the interface array.
Signed-off-by: Pengpeng Hou <pengpeng@xxxxxxxxxxx>
Acked-by: Arend van Spriel <arend.vanspriel@xxxxxxxxxxxx>
Link: https://patch.msgid.link/20260323074551.93530-1-pengpeng@xxxxxxxxxxx
[add missing wifi prefix]
Signed-off-by: Johannes Berg <johannes.berg@xxxxxxxxx>
Signed-off-by: Sasha Levin <sashal@xxxxxxxxxx>
---
LLM Generated explanations, may be completely bogus:
Error: Failed to generate final synthesis
drivers/net/wireless/broadcom/brcm80211/brcmfmac/fweh.c | 5 +++++
1 file changed, 5 insertions(+)
diff --git a/drivers/net/wireless/broadcom/brcm80211/brcmfmac/fweh.c b/drivers/net/wireless/broadcom/brcm80211/brcmfmac/fweh.c
index c2d98ee6652f3..1d25dc9ebca8b 100644
--- a/drivers/net/wireless/broadcom/brcm80211/brcmfmac/fweh.c
+++ b/drivers/net/wireless/broadcom/brcm80211/brcmfmac/fweh.c
@@ -153,6 +153,11 @@ static void brcmf_fweh_handle_if_event(struct brcmf_pub *drvr,
bphy_err(drvr, "invalid interface index: %u\n", ifevent->ifidx);
return;
}
+ if (ifevent->bsscfgidx >= BRCMF_MAX_IFS) {
+ bphy_err(drvr, "invalid bsscfg index: %u\n",
+ ifevent->bsscfgidx);
+ return;
+ }
ifp = drvr->iflist[ifevent->bsscfgidx];
--
2.53.0