]> git.ipfire.org Git - thirdparty/kernel/linux.git/commitdiff
wifi: rtw89: phy: check length before parsing PHY status IE
authorPing-Ke Shih <pkshih@realtek.com>
Wed, 6 May 2026 13:09:57 +0000 (21:09 +0800)
committerPing-Ke Shih <pkshih@realtek.com>
Wed, 13 May 2026 03:41:43 +0000 (11:41 +0800)
Hardware might report PHY status IE with unexpected length, and parser
might access out of range. Check the length ahead.

Signed-off-by: Ping-Ke Shih <pkshih@realtek.com>
Link: https://patch.msgid.link/20260506131000.1706298-12-pkshih@realtek.com
drivers/net/wireless/realtek/rtw89/core.c

index 7fa479ce52e2bdb82d3e6d5d453d22231a62bb1e..7e1182a4994274c5f3045ece4ca325c25fcddeac 100644 (file)
@@ -2276,7 +2276,6 @@ static int rtw89_core_rx_parse_phy_sts(struct rtw89_dev *rtwdev,
                const struct rtw89_phy_sts_iehdr *iehdr = pos;
 
                ie_len = rtw89_core_get_phy_status_ie_len(rtwdev, iehdr);
-               rtw89_core_process_phy_status_ie(rtwdev, iehdr, phy_ppdu);
                pos += ie_len;
                if (pos > end || ie_len == 0) {
                        /* clear pointers to prevent accessing out of IE */
@@ -2285,8 +2284,11 @@ static int rtw89_core_rx_parse_phy_sts(struct rtw89_dev *rtwdev,
 
                        rtw89_debug(rtwdev, RTW89_DBG_TXRX,
                                    "phy status parse failed\n");
+
                        return -EINVAL;
                }
+
+               rtw89_core_process_phy_status_ie(rtwdev, iehdr, phy_ppdu);
        }
 
        rtw89_chip_convert_rpl_to_rssi(rtwdev, phy_ppdu);