From: Aviel Zohar <avielzohar123@gmail.com>
Date: Mon, 13 Apr 2026 03:31:35 +0000 (+0300)
Subject: wifi: mt76: mt7915: validate skb length in txpower SKU query
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=4497665cf4f680f8befbe3c980c93917a195d26b;p=thirdparty%2Flinux.git

wifi: mt76: mt7915: validate skb length in txpower SKU query

In mt7915_mcu_get_txpower_sku(), the response skb from
mt76_mcu_send_and_get_msg() is used in memcpy without validating
its length:

For TX_POWER_INFO_RATE:
  memcpy(res, skb->data + 4, sizeof(res));

where sizeof(res) is MT7915_SKU_RATE_NUM * 2 = 322 bytes.

For TX_POWER_INFO_PATH:
  memcpy(txpower, skb->data + 4, len);

In both cases, if the firmware returns a response shorter than
the expected size, the memcpy reads beyond the skb data buffer.
The data surfaces to userspace via debugfs (txpower_sku and
txpower_path).

Add length checks for both code paths before the memcpy.

Signed-off-by: Aviel Zohar <avielzohar123@gmail.com>
Link: https://patch.msgid.link/20260413033136.5417-3-avielzohar123@gmail.com
Signed-off-by: Felix Fietkau <nbd@nbd.name>
---

diff --git a/drivers/net/wireless/mediatek/mt76/mt7915/mcu.c b/drivers/net/wireless/mediatek/mt76/mt7915/mcu.c
index 318c38149463..4a381d351e61 100644
--- a/drivers/net/wireless/mediatek/mt76/mt7915/mcu.c
+++ b/drivers/net/wireless/mediatek/mt76/mt7915/mcu.c
@@ -3534,10 +3534,18 @@ int mt7915_mcu_get_txpower_sku(struct mt7915_phy *phy, s8 *txpower, int len,
 	if (category == TX_POWER_INFO_RATE) {
 		s8 res[MT7915_SKU_RATE_NUM][2];
 
+		if (skb->len < sizeof(res) + 4) {
+			dev_kfree_skb(skb);
+			return -EINVAL;
+		}
 		memcpy(res, skb->data + 4, sizeof(res));
 		for (i = 0; i < len; i++)
 			txpower[i] = res[i][req.band_idx];
 	} else if (category == TX_POWER_INFO_PATH) {
+		if (skb->len < len + 4) {
+			dev_kfree_skb(skb);
+			return -EINVAL;
+		}
 		memcpy(txpower, skb->data + 4, len);
 	}