Re: [PATCH v3 3/6] wifi: mwifiex: fix OOB read from firmware sta_count in station list response

Next message: Mark Brown: "Re: [PATCH 0/3] spi: orion: runtime PM fixes"
Previous message: Mark Brown: "Re: [PATCH] regulator: qcom: Unify user-visible &quot;Qualcomm&quot; name"
In reply to: Brian Norris: "Re: [PATCH v3 3/6] wifi: mwifiex: fix OOB read from firmware sta_count in station list response"
Next in thread: Johannes Berg: "Re: [PATCH v3 3/6] wifi: mwifiex: fix OOB read from firmware sta_count in station list response"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

From: Johannes Berg

Date: Wed Apr 22 2026 - 15:58:55 EST

On Wed, 2026-04-22 at 12:54 -0700, Brian Norris wrote:
> > But regardless, I question the sanity of checking the size against the
> > size the firmware said the whole thing was going to be, rather than
> > checking against the actual buffer size ...
>
> Admittedly, I get lost in this driver sometimes...
> ...but I think you have a very good point. AFAICT, we never do anything
> to check the size of adapter->curr_cmd->resp_skb. We generally assume
> it's big enough to fit 'struct host_cmd_ds_command' (since we allocate
> it ourselves). But we don't ever go back to check these
> dynamically-sized fields don't overflow it.
>

There are some (response) buffers where the size is checked before
copying, but I didn't trace this back further than the SKB coming from
pcie/sdio/usb, but I don't see any check of the firmware-advertised size
vs. the actual skb->len.

johannes