Re: [PATCH] wifi: mwifiex: validate HT/VHT element length before storing beacon IE pointers
From: Francesco Dolcini
Date: Fri Jul 17 2026 - 10:33:11 EST
On Thu, Jul 16, 2026 at 08:00:17PM -0400, Christopher Kleiner wrote:
> mwifiex_update_bss_desc_with_ie() stores raw pointers into the beacon
> buffer for the HT Capability, HT Operation, VHT Capability and VHT
> Operation elements without checking that the element is long enough to
> hold the corresponding fixed-size structure. The generic IE loop only
> guarantees that the declared element length fits inside the beacon
> buffer (bytes_left >= total_ie_len); it does not guarantee that
> element_len is large enough for the struct that later consumers copy.
>
> beacon_buf is a tight kmemdup() of the over-the-air IEs. When the
> association command is built, mwifiex_cmd_append_11n_tlv() /
> mwifiex_cmd_append_11ac_tlv() copy a fixed number of bytes from the
> stored pointers (sizeof(struct ieee80211_ht_cap) and friends). A
> malicious AP that emits a beacon or probe response ending in a
> truncated (e.g. zero-length) HT Capability element leaves bcn_ht_cap
> pointing near the end of the slab, and the subsequent copy reads out of
> bounds. The leaked bytes are placed into the association request
> transmitted back to the AP, disclosing adjacent slab memory; on
> CONFIG_KASAN / panic_on_oops kernels it is an out-of-bounds oops.
>
> Commit 685c9b7750bf ("mwifiex: Abort at too short BSS descriptor
> element") added such length checks for the FH/DS/CF/IBSS parameter sets
> and a few other elements, but did not cover the HT/VHT capability and
> operation elements. Validate element_len against the size of the
> structure that will be consumed, mirroring those existing checks.
>
> Fixes: 5e6e3a92b9a4 ("wireless: mwifiex: initial commit for Marvell mwifiex driver")
> Cc: stable@xxxxxxxxxxxxxxx
> Signed-off-by: Christopher Kleiner <chris@xxxxxxxxxxx>
Duplicate? We already have this in review https://lore.kernel.org/all/20260709100800.7026-1-doruk@xxxxxxx/