Re: [PATCH] wifi: mt76: connac: fix out of bounds read in mt76_connac2_load_patch()
From: Mario Limonciello
Date: Wed Dec 17 2025 - 17:30:13 EST
On 12/17/25 4:26 PM, Bert Karwatzki wrote:
As sizeof(hdr->build_date) is 16 we reading 17 bytes (sizeof(build_date))
result in the following error:
[ T378] ------------[ cut here ]------------
[ T378] strnlen: detected buffer overflow: 17 byte read of buffer size 16
[ T378] WARNING: lib/string_helpers.c:1036 at __fortify_report+0x3e/0x50, CPU#15: kworker/15:1/378
[...]
[ T378] mt76_connac2_load_patch.cold+0x2a/0x313 [mt76_connac_lib]
[ T378] mt792x_load_firmware+0x31/0x140 [mt792x_lib]
Fixes: f804a5895eba ("wifi: mt76: Strip whitespace from build ddate")
Signed-off-by: Bert Karwatzki <spasswolf@xxxxxx>
---
drivers/net/wireless/mediatek/mt76/mt76_connac_mcu.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/drivers/net/wireless/mediatek/mt76/mt76_connac_mcu.c b/drivers/net/wireless/mediatek/mt76/mt76_connac_mcu.c
index ea99167765b0..aca3d7870dce 100644
--- a/drivers/net/wireless/mediatek/mt76/mt76_connac_mcu.c
+++ b/drivers/net/wireless/mediatek/mt76/mt76_connac_mcu.c
@@ -3125,7 +3125,7 @@ int mt76_connac2_load_patch(struct mt76_dev *dev, const char *fw_name)
}
hdr = (const void *)fw->data;
- strscpy(build_date, hdr->build_date, sizeof(build_date));
+ strscpy(build_date, hdr->build_date, sizeof(hdr->build_date));
build_date[16] = '\0';
strim(build_date);
dev_info(dev->dev, "HW/SW Version: 0x%x, Build Time: %.16s\n",
FYI - there's already a fix here waiting for a maintainer to pick it.
https://lore.kernel.org/all/CABXGCsMeAZyNJ-Axt_CUCXgyieWPV3rrcLpWsveMPT8R0YPGnQ@xxxxxxxxxxxxxx/