Re: [PATCH] wifi: cfg80211: don't allow negative key_len values

Next message: Donet Tom: "Re: [RFC PATCH v6 3/5] mm: Hot page tracking and promotion - pghot"
Previous message: &#x674E;&#x5FD7;: "Re: Re: [PATCH net-next v7 4/4] riscv: dts: eswin: eic7700-hifive-premier-p550: enable Ethernet controller"
In reply to: Dan Carpenter: "[PATCH] wifi: cfg80211: don't allow negative key_len values"
Next in thread: Dan Carpenter: "Re: [PATCH] wifi: cfg80211: don't allow negative key_len values"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

From: Johannes Berg

Date: Thu Apr 30 2026 - 03:06:36 EST

On Thu, 2026-04-30 at 09:15 +0300, Dan Carpenter wrote:
> The ath6kl_cfg80211_add_key() function has an upper bounds check on
> params->key_len which ensures that it can't go over WLAN_MAX_KEY_LEN but
> it doesn't check for negatives. This could potentially lead to memory
> corruption.
>
> Put a bounds check on negative values in cfg80211_validate_key_settings()
> to prevent this sort of bug in the future.

Clearly this commit doesn't seem problematic, but I'm not sure I see the
path to it mattering? The key_len should only ever be set by
wext/nl80211, and that can't really end up with a negative length?

We should probably just make it a u8 there, no way it's ever bigger than
that, but I'm not seeing through why this would matter much right now.

johannes