Re: [PATCH v3 6/6] wifi: mwifiex: fix OOB read from inflated TLV length in IBSS peer event
From: Brian Norris
Date: Tue Apr 21 2026 - 19:25:52 EST
Hi Tristan,
On Tue, Apr 21, 2026 at 01:49:38PM +0000, Tristan Madani wrote:
> From: Tristan Madani <tristan@xxxxxxxxxxxxxxxxxxx>
>
> The IBSS connected handler replaces the buffer-bounded evt_len with
> the firmware-controlled TLV header length. An inflated value drives the
> IE parsing loop past the event buffer into adjacent kernel heap memory.
>
> Cap the TLV-derived length at the remaining event data size.
>
> Fixes: 432da7d243da ("mwifiex: add HT aggregation support for adhoc mode")
> Signed-off-by: Tristan Madani <tristan@xxxxxxxxxxxxxxxxxxx>
> ---
> Changes in v3:
> - Regenerated from wireless-next with proper git format-patch to
> produce valid index hashes (v2 had post-processed index lines).
>
> Changes in v2:
> - No code changes from v1.
>
> drivers/net/wireless/marvell/mwifiex/sta_event.c | 4 ++++
> 1 file changed, 4 insertions(+)
>
> diff --git a/drivers/net/wireless/marvell/mwifiex/sta_event.c b/drivers/net/wireless/marvell/mwifiex/sta_event.c
> index 6b7e5b6a66a9e..62a879c09106e 100644
> --- a/drivers/net/wireless/marvell/mwifiex/sta_event.c
> +++ b/drivers/net/wireless/marvell/mwifiex/sta_event.c
> @@ -45,6 +45,10 @@ static int mwifiex_check_ibss_peer_capabilities(struct mwifiex_private *priv,
> */
> evt_len = le16_to_cpu(tlv_mgmt_frame->header.len);
> curr += (sizeof(*tlv_mgmt_frame) + 12);
> + if (evt_len > event->len -
> + (curr - event->data))
> + evt_len = event->len -
> + (curr - event->data);
The above 4 line have excessive line breaks. You're not even close to 80
characters (the old-school line limit), let alone the more modern 100
limit that checkpatch uses.
Just make this 2 unbroken lines:
if (condition)
evt_len = ...;
Brian
> } else {
> mwifiex_dbg(priv->adapter, MSG,
> "management frame tlv not found!\n");
> --
> 2.47.3
>