From: Avinash Bhatt Date: Mon, 11 May 2026 17:36:31 +0000 (+0300) Subject: wifi: iwlwifi: fix buffer overflow when firmware reports no channels X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=45e1a52f65b0c1553b6649f48cac37d453233cef;p=thirdparty%2Flinux.git wifi: iwlwifi: fix buffer overflow when firmware reports no channels On parsing NVM in setting country code, if firmware reports 0 channels, buffer is allocated for 0 rules but a dummy rule is added for cfg80211 compatibility, causing kmemdup() to read 128 bytes from a 32-byte buffer. Allocate regd buffer for one rule addition when reported channels are 0. Signed-off-by: Avinash Bhatt Link: https://patch.msgid.link/20260511203428.e03cd831bc96.I8260d881eebe3e83d3208959b525c51af26414e6@changeid Signed-off-by: Miri Korenblit --- diff --git a/drivers/net/wireless/intel/iwlwifi/iwl-nvm-parse.c b/drivers/net/wireless/intel/iwlwifi/iwl-nvm-parse.c index 0736c8c00d4e4..455d6e8c70285 100644 --- a/drivers/net/wireless/intel/iwlwifi/iwl-nvm-parse.c +++ b/drivers/net/wireless/intel/iwlwifi/iwl-nvm-parse.c @@ -1724,8 +1724,16 @@ iwl_parse_nvm_mcc_info(struct iwl_trans *trans, IWL_DEBUG_DEV(dev, IWL_DL_LAR, "building regdom for %d channels\n", num_of_ch); - /* build a regdomain rule for every valid channel */ - regd = kzalloc_flex(*regd, reg_rules, num_of_ch); + /* build a regdomain rule for every valid channel. + * Certain firmware versions might report no valid channels + * if booted in RF-kill, i.e. not all calibrations etc. are + * running. We'll get out of this situation later when the + * rfkill is removed and we update the regdomain again, but + * since cfg80211 doesn't accept an empty regdomain, we need + * to allocate space for at least one rule to add a dummy + * (unusable) rule in this case so we can init. + */ + regd = kzalloc_flex(*regd, reg_rules, num_of_ch ?: 1); if (!regd) return ERR_PTR(-ENOMEM); @@ -1799,14 +1807,7 @@ iwl_parse_nvm_mcc_info(struct iwl_trans *trans, reg_query_regdb_wmm(regd->alpha2, center_freq, rule); } - /* - * Certain firmware versions might report no valid channels - * if booted in RF-kill, i.e. not all calibrations etc. are - * running. We'll get out of this situation later when the - * rfkill is removed and we update the regdomain again, but - * since cfg80211 doesn't accept an empty regdomain, add a - * dummy (unusable) rule here in this case so we can init. - */ + /* If no valid rules were found, add a dummy rule */ if (!valid_rules) { valid_rules = 1; rule = ®d->reg_rules[valid_rules - 1];