[PATCH] wifi: wil6210: wmi: prevent underflow in wmi_evt_auth_status()

Next message: Oleksij Rempel: "[PATCH v1 3/3] net: can: j1939: Add initial KUnit tests for socket and transport layers"
Previous message: Jonathan Cameron: "Re: [PATCH v3 2/5] dt-bindings: iio: adc: ad4130: Add new supported parts"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

From: Dan Carpenter

Date: Mon Apr 20 2026 - 12:56:46 EST

The problem is this condition:

if (ie_len < auth_ie_offset) {

The test is supposed to ensure that "d" is large enough to hold a struct
wmi_ft_auth_status_event and 3 additional u16 values. The "ie_len"
variable can be negative but, because "auth_ie_offset" is type size_t,
then negatives are type promoted to high positive values and treated as
success. The effect of this bug is that when we do:

d_len = le16_to_cpu(data->ie_len);

then we may be beyond the end of the "d" / "data" buffer. Fortunately,
on the next line:

if (d_len != ie_len) {

the contition will be false so the negative effects of this bug are
quite limited.

Fix this bug by changing the type of "auth_ie_offset" to int.

Fixes: b9010f105f21 ("wil6210: add FT roam support for AP and station")
Cc: stable@xxxxxxxxxxxxxxx
Signed-off-by: Dan Carpenter <error27@xxxxxxxxx>
---
drivers/net/wireless/ath/wil6210/wmi.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/drivers/net/wireless/ath/wil6210/wmi.c b/drivers/net/wireless/ath/wil6210/wmi.c
index 479b2418ca34..57e6a43a04cf 100644
--- a/drivers/net/wireless/ath/wil6210/wmi.c
+++ b/drivers/net/wireless/ath/wil6210/wmi.c
@@ -1629,7 +1629,7 @@ wmi_evt_auth_status(struct wil6210_vif *vif, int id, void *d, int len)
struct cfg80211_ft_event_params ft;
u16 d_len;
/* auth_alg(u16) + auth_transaction(u16) + status_code(u16) */
- const size_t auth_ie_offset = sizeof(u16) * 3;
+ const int auth_ie_offset = sizeof(u16) * 3;
struct auth_no_hdr *auth = (struct auth_no_hdr *)data->ie_info;

/* check the status */
--
2.53.0