From: Aviel Zohar <avielzohar123@gmail.com>
Date: Mon, 13 Apr 2026 03:31:34 +0000 (+0300)
Subject: wifi: mt76: mt7925: validate skb length in testmode query
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=c7369a00860a0704461d440e7c3bf9b49bfdbaee;p=thirdparty%2Flinux.git

wifi: mt76: mt7925: validate skb length in testmode query

In mt7925_tm_query(), the response skb from mt76_mcu_send_and_get_msg()
is used in a memcpy without validating its length:

  memcpy(evt_resp, skb->data + 8, MT7925_EVT_RSP_LEN);

where MT7925_EVT_RSP_LEN is 512. If the firmware returns a response
shorter than 520 bytes (8 + 512), this reads beyond the skb data
buffer. The over-read data is then returned to userspace via nla_put()
in mt7925_testmode_dump().

Add a length check before the memcpy to ensure the skb contains
sufficient data.

Fixes: c948b5da6bbe ("wifi: mt76: mt7925: add Mediatek Wi-Fi7 driver for mt7925 chips")
Signed-off-by: Aviel Zohar <avielzohar123@gmail.com>
Link: https://patch.msgid.link/20260413033136.5417-2-avielzohar123@gmail.com
Signed-off-by: Felix Fietkau <nbd@nbd.name>
---

diff --git a/drivers/net/wireless/mediatek/mt76/mt7925/testmode.c b/drivers/net/wireless/mediatek/mt76/mt7925/testmode.c
index 3d40aacfc011..22a8f1ddc321 100644
--- a/drivers/net/wireless/mediatek/mt76/mt7925/testmode.c
+++ b/drivers/net/wireless/mediatek/mt76/mt7925/testmode.c
@@ -105,6 +105,11 @@ mt7925_tm_query(struct mt792x_dev *dev, struct mt7925_tm_cmd *req,
 	if (ret)
 		goto out;
 
+	if (skb->len < MT7925_EVT_RSP_LEN + 8) {
+		ret = -EINVAL;
+		goto out;
+	}
+
 	memcpy((char *)evt_resp, (char *)skb->data + 8, MT7925_EVT_RSP_LEN);
 
 out: