Re: [PATCH] zd1211rw/mac: Fix out-of-bounds upon RX when unassociated

Next message: Heiko Stuebner: " Re: [PATCH v5 07/10] drm/rockchip: dw_hdmi_qp: Add missing newlines in dev_err_probe() messages"
Previous message: Thomas Hellstr&#xF6;m: "[RFC PATCH 1/1] mm: vmscan: keep anon scanning enabled when swapcache folios are present"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

From: Johannes Berg

Date: Mon Apr 27 2026 - 06:39:16 EST

On Wed, 2026-04-15 at 19:08 +0200, Lubomir Rintel wrote:
> Upon plugging the adapter, UBSAN complains about an out of bounds read:

> It is correct: if zd_mac_rx() is called when unassociated, the channel
> is 0, becomes -1 under assumption there's a proper channel number
> starting from 1.

The 'unassociated' part here seems rather misleading - it's basically
when it's called before mac80211 configures the channel?

Maybe zd_rf_init() should set the channel to 1 or whatever the default
channel of the device is? I'm surprised it even receives anything before
being properly configured. But I also see no way to ever go to an
invalid channel number again after the initial configuration of a
channel.

Never mind that the reporting is also racy, but I guess it doesn't
really matter too much ... I had a couple of these devices but they all
broke.

I don't mind applying this patch either, but please edit the commit
message to not mislead about association. If I'm reading it correctly
then all that matters is that it receives before a channel config, and
that only happens as a race during init.

johannes