Re: [PATCH v2 2/2] wifi: b43: fix OOB read from hardware key index in b43_rx()

Next message: Kuan-Wei Chiu: "Re: [PATCH] interconnect: Do not create empty devres on missing interconnects"
Previous message: Laurent Pinchart: "Re: [PATCH v6 10/21] dt-bindings: display: renesas,rzg2l-du: Add support for RZ/G3E SoC"
In reply to: Jonas Gorski: "Re: [PATCH v2 2/2] wifi: b43: fix OOB read from hardware key index in b43_rx()"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

From: Michael Büsch

Date: Thu Apr 16 2026 - 12:37:06 EST

On Thu, 16 Apr 2026 08:34:11 +0200
Jonas Gorski <jonas.gorski@xxxxxxxxx> wrote:
> > diff --git a/drivers/net/wireless/broadcom/b43/xmit.c b/drivers/net/wireless/broadcom/b43/xmit.c
> > index XXXXXXX..XXXXXXX 100644
> > --- a/drivers/net/wireless/broadcom/b43/xmit.c
> > +++ b/drivers/net/wireless/broadcom/b43/xmit.c
> > @@ -704,7 +704,10 @@ void b43_rx(struct b43_wldev *dev, struct sk_buff *skb, const void *_rxhdr)
> > */
> > keyidx = b43_kidx_to_raw(dev, keyidx);
> > - B43_WARN_ON(keyidx >= ARRAY_SIZE(dev->key));
> > + if (keyidx >= ARRAY_SIZE(dev->key)) {
> > + b43dbg(dev->wl, "RX: invalid key index %u\n", keyidx);
> > + goto drop;
> > + }
>
> B43_WARN_ON() returns the condition's result, so if you keep it you
> can shorten this to
>
> if (B43_WARN_ON(keyidx >= ARRAY_SIZE(dev->key)))
> goto drop;

Acked-by: Michael Büsch <m@xxxxxxx>

Please also check the b43legacy driver. It may contain exactly the same code.

--
Michael Büsch
https://bues.ch/

Attachment: pgpknMoTFnhGX.pgp
Description: OpenPGP digital signature