Re: [PATCH v3 3/6] wifi: mwifiex: fix OOB read from firmware sta_count in station list response

Next message: David Hildenbrand (Arm): "Re: [PATCH v4 4/5] mm/mm_init: Fix pageblock migratetype for ZONE_DEVICE compound pages"
Previous message: Dmitry Baryshkov: "Re: [PATCH 2/2] drm/bridge: Add LT7911EXC edp to mipi bridge driver"
In reply to: Johannes Berg: "Re: [PATCH v3 3/6] wifi: mwifiex: fix OOB read from firmware sta_count in station list response"
Next in thread: Tristan Madani: "[PATCH v3 4/6] wifi: mwifiex: fix OOB read in scan response from mismatched TLV data sizes"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

From: Johannes Berg

Date: Wed Apr 22 2026 - 15:06:49 EST

On Tue, 2026-04-21 at 13:49 +0000, Tristan Madani wrote:
> From: Tristan Madani <tristan@xxxxxxxxxxxxxxxxxxx>
>
> The firmware-controlled sta_count (u16) is used as an unbounded loop
> counter for iterating station info entries. An inflated count drives
> reads past the response buffer into kernel heap memory.
>
> Add a check that sta_count fits within the response size.
>
> Fixes: b21783e94e20 ("mwifiex: add sta_list firmware command")
> Signed-off-by: Tristan Madani <tristan@xxxxxxxxxxxxxxxxxxx>
> ---
> Changes in v3:
> - Regenerated from wireless-next with proper git format-patch to
> produce valid index hashes (v2 had post-processed index lines).

For the record, that wasn't the problem. I _think_ the problem was that
your post-processing also skipped whitespace-only lines, which are very
relevant in patches.

johannes