[PATCH] wifi: cfg80211: don't allow negative key_len values

Next message: Furkan &#xC7;al&#x131;&#x15F;kan: "Re: [PATCH] sched/fair: Fix wakeup_preempt_fair for not waking up task"
Previous message: Samir M: "Re: [mainline][BUG] Observed Workqueue lockups on offline CPUs."
Next in thread: Johannes Berg: "Re: [PATCH] wifi: cfg80211: don't allow negative key_len values"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

From: Dan Carpenter

Date: Thu Apr 30 2026 - 02:19:22 EST

The ath6kl_cfg80211_add_key() function has an upper bounds check on
params->key_len which ensures that it can't go over WLAN_MAX_KEY_LEN but
it doesn't check for negatives. This could potentially lead to memory
corruption.

Put a bounds check on negative values in cfg80211_validate_key_settings()
to prevent this sort of bug in the future.

Fixes: bdcd81707973 ("Add ath6kl cleaned up driver")
Cc: stable@xxxxxxxxxxxxxxx
Signed-off-by: Dan Carpenter <error27@xxxxxxxxx>
---
This is from static analysis. I can't think why a driver would ever
want a negative length and I think this is the safest solution. But
I have not tested it.

net/wireless/util.c | 2 ++
1 file changed, 2 insertions(+)

diff --git a/net/wireless/util.c b/net/wireless/util.c
index b78530c3e3f8..4552229eb2d2 100644
--- a/net/wireless/util.c
+++ b/net/wireless/util.c
@@ -397,6 +397,8 @@ int cfg80211_validate_key_settings(struct cfg80211_registered_device *rdev,
* or not the driver supports this algorithm,
* of course.
*/
+ if (params->key_len < 0)
+ return -EINVAL;
break;
}

--
2.53.0