Re: [PATCH v3 5/6] wifi: mwifiex: fix OOB read from firmware intf_num in multichannel event
From: Brian Norris
Date: Tue Apr 21 2026 - 19:20:31 EST
On Tue, Apr 21, 2026 at 01:49:37PM +0000, Tristan Madani wrote:
> From: Tristan Madani <tristan@xxxxxxxxxxxxxxxxxxx>
>
> The firmware-controlled intf_num is used to iterate the flexible array
> bss_type_numlist[] without checking it against the TLV data length. An
> inflated value causes out-of-bounds reads past the TLV data.
>
> Clamp intf_num to the available TLV data.
>
> Fixes: 8d6b538a5eac ("mwifiex: handle multichannel event")
> Signed-off-by: Tristan Madani <tristan@xxxxxxxxxxxxxxxxxxx>
> ---
> Changes in v3:
> - Regenerated from wireless-next with proper git format-patch to
> produce valid index hashes (v2 had post-processed index lines).
>
> Changes in v2:
> - No code changes from v1.
>
> drivers/net/wireless/marvell/mwifiex/sta_event.c | 8 ++++++++
> 1 file changed, 8 insertions(+)
>
> diff --git a/drivers/net/wireless/marvell/mwifiex/sta_event.c b/drivers/net/wireless/marvell/mwifiex/sta_event.c
> index fecd88967ceb8..6b7e5b6a66a9e 100644
> --- a/drivers/net/wireless/marvell/mwifiex/sta_event.c
> +++ b/drivers/net/wireless/marvell/mwifiex/sta_event.c
> @@ -450,6 +450,14 @@ void mwifiex_process_multi_chan_event(struct mwifiex_private *priv,
>
> grp_info = (struct mwifiex_ie_types_mc_group_info *)tlv;
> intf_num = grp_info->intf_num;
> + {
I don't think it's typical style to add arbitrary context blocks /
braces just to declare a new variable. It increases the indentation
unnecesarily, for one.
I'd suggest dropping these braces and moving the 'u16 fixed_len;'
declaration up to the top of this block.
> + u16 fixed_len = sizeof(*grp_info) -
> + sizeof(grp_info->header);
> + if (tlv_len < fixed_len ||
> + intf_num > tlv_len - fixed_len)
...then there will be less indentation and these line breaks are less
necessary.
Brian
> + intf_num = 0;
> + }
> +
> for (i = 0; i < intf_num; i++) {
> bss_type = grp_info->bss_type_numlist[i] >> 4;
> bss_num = grp_info->bss_type_numlist[i] & BSS_NUM_MASK;
> --
> 2.47.3
>