Re: [PATCH] wifi: cfg80211: don't allow negative key_len values

Next message: Joshua Crofts: "Re: [PATCH v3 3/8] iio: light: si1133: add missing include headers"
Previous message: Mike Rapoport: "Re: [PATCH] arm64/mm: Rename ptdesc_t"
In reply to: Johannes Berg: "Re: [PATCH] wifi: cfg80211: don't allow negative key_len values"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

From: Dan Carpenter

Date: Thu Apr 30 2026 - 03:52:42 EST

On Thu, Apr 30, 2026 at 09:05:35AM +0200, Johannes Berg wrote:
> On Thu, 2026-04-30 at 09:15 +0300, Dan Carpenter wrote:
> > The ath6kl_cfg80211_add_key() function has an upper bounds check on
> > params->key_len which ensures that it can't go over WLAN_MAX_KEY_LEN but
> > it doesn't check for negatives. This could potentially lead to memory
> > corruption.
> >
> > Put a bounds check on negative values in cfg80211_validate_key_settings()
> > to prevent this sort of bug in the future.
>
> Clearly this commit doesn't seem problematic, but I'm not sure I see the
> path to it mattering? The key_len should only ever be set by
> wext/nl80211, and that can't really end up with a negative length?
>
> We should probably just make it a u8 there, no way it's ever bigger than
> that, but I'm not seeing through why this would matter much right now.

Ah. Yeah. You're right. :/ Sorry for the noise.

regards,
dan carpenter