Re: [PATCH v3 4/6] wifi: mwifiex: fix OOB read in scan response from mismatched TLV data sizes

Next message: Andrew Lunn: "[PATCH net v2 13/15] drivers: net: 8390: pcnet: Remove this driver"
Previous message: Andrew Lunn: "[PATCH net v2 10/15] drivers: net: cirrus: mac89x0: Remove this driver"
In reply to: Tristan Madani: "[PATCH v3 4/6] wifi: mwifiex: fix OOB read in scan response from mismatched TLV data sizes"
Next in thread: Tristan Madani: "[PATCH v3 5/6] wifi: mwifiex: fix OOB read from firmware intf_num in multichannel event"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

From: Brian Norris

Date: Wed Apr 22 2026 - 14:32:15 EST

On Tue, Apr 21, 2026 at 01:49:36PM +0000, Tristan Madani wrote:
> From: Tristan Madani <tristan@xxxxxxxxxxxxxxxxxxx>
>
> The TSF and ChanBand TLV arrays are indexed by the firmware-controlled
> number_of_sets without cross-checking against the TLV header length
> fields. When number_of_sets exceeds the TLV data, the loop reads past
> the TLV data into adjacent command response memory.
>
> Stop using the TLV data once the index exceeds its reported length.
>
> Fixes: 5e6e3a92b9a4 ("wireless: mwifiex: initial commit for Marvell mwifiex driver")
> Signed-off-by: Tristan Madani <tristan@xxxxxxxxxxxxxxxxxxx>
> ---
> Changes in v3:
> - Regenerated from wireless-next with proper git format-patch to
> produce valid index hashes (v2 had post-processed index lines).
>
> Changes in v2:
> - No code changes from v1.
>
> drivers/net/wireless/marvell/mwifiex/scan.c | 9 ++++++---
> 1 file changed, 6 insertions(+), 3 deletions(-)

My brain cries a little every time I have to read and trust this sort of
arithmetic in C.

Acked-by: Brian Norris <briannorris@xxxxxxxxxxxx>