wifi: b43legacy: enforce bounds check on firmware key index in RX path

Same fix as b43: the firmware-controlled key index in b43legacy_rx()
can exceed dev->max_nr_keys. The existing B43legacy_WARN_ON is
non-enforcing in production builds, allowing an out-of-bounds read of
dev->key[].

Make the check enforcing by dropping the frame for invalid indices.

Fixes: 75388acd0cd8 ("[B43LEGACY]: add mac80211-based driver for legacy BCM43xx devices")
Cc: stable@vger.kernel.org
Signed-off-by: Tristan Madani <tristan@talencesecurity.com>
Link: https://patch.msgid.link/20260417111145.2694196-2-tristmd@gmail.com
Signed-off-by: Johannes Berg <johannes.berg@intel.com>

diff --git a/drivers/net/wireless/broadcom/b43legacy/xmit.c b/drivers/net/wireless/broadcom/b43legacy/xmit.c
index efd63f4ce74f2b0d7530a8c6bf0b988feb239e93..ee199d4eaf039a963db4dbd11b441e78fd95970c 100644 (file)
--- a/drivers/net/wireless/broadcom/b43legacy/xmit.c
+++ b/drivers/net/wireless/broadcom/b43legacy/xmit.c
@@ -476,7 +476,8 @@ void b43legacy_rx(struct b43legacy_wldev *dev,
                 * key index, but the ucode passed it slightly different.
                 */
                keyidx = b43legacy_kidx_to_raw(dev, keyidx);
-               B43legacy_WARN_ON(keyidx >= dev->max_nr_keys);
+               if (B43legacy_WARN_ON(keyidx >= dev->max_nr_keys))
+                       goto drop;
 
                if (dev->key[keyidx].algorithm != B43legacy_SEC_ALGO_NONE) {
                        /* Remove PROTECTED flag to mark it as decrypted. */