Re: [PATCH v2 2/2] wifi: b43: fix OOB read from hardware key index in b43_rx()
From: Jonas Gorski
Date: Thu Apr 16 2026 - 02:34:45 EST
Hi,
On Thu, Apr 16, 2026 at 12:24 AM Tristan Madani <tristmd@xxxxxxxxx> wrote:
>
> From: Tristan Madani <tristan@xxxxxxxxxxxxxxxxxxx>
>
> The firmware-controlled key index in b43_rx() can exceed the dev->key[]
> array size (58 entries). The existing B43_WARN_ON is non-enforcing in
> production builds, allowing an out-of-bounds read of 1 byte from struct
> b43_firmware. A non-zero OOB value causes RX_FLAG_DECRYPTED to be
> incorrectly set on un-decrypted frames.
>
> Replace with an enforcing check that skips the key lookup for invalid
> indices.
>
> Fixes: e4d6b7951812 ("[B43]: add mac80211-based driver for modern BCM43xx devices")
> Signed-off-by: Tristan Madani <tristan@xxxxxxxxxxxxxxxxxxx>
> ---
> drivers/net/wireless/broadcom/b43/xmit.c | 5 ++++-
> 1 file changed, 4 insertions(+), 1 deletion(-)
>
> diff --git a/drivers/net/wireless/broadcom/b43/xmit.c b/drivers/net/wireless/broadcom/b43/xmit.c
> index XXXXXXX..XXXXXXX 100644
> --- a/drivers/net/wireless/broadcom/b43/xmit.c
> +++ b/drivers/net/wireless/broadcom/b43/xmit.c
> @@ -704,7 +704,10 @@ void b43_rx(struct b43_wldev *dev, struct sk_buff *skb, const void *_rxhdr)
> */
> keyidx = b43_kidx_to_raw(dev, keyidx);
> - B43_WARN_ON(keyidx >= ARRAY_SIZE(dev->key));
> + if (keyidx >= ARRAY_SIZE(dev->key)) {
> + b43dbg(dev->wl, "RX: invalid key index %u\n", keyidx);
> + goto drop;
> + }
B43_WARN_ON() returns the condition's result, so if you keep it you
can shorten this to
if (B43_WARN_ON(keyidx >= ARRAY_SIZE(dev->key)))
goto drop;
Best regards,
Jonas