]> git.ipfire.org Git - thirdparty/linux.git/commitdiff
projects / thirdparty / linux.git / commitdiff
? search:
summary | shortlog | log | commit | commitdiff | tree
raw | patch | inline | side by side (parent: ad3d4d3)
wifi: mac80211: avoid out-of-bounds access in monitor
authorMiri Korenblit <miriam.rachel.korenblit@intel.com>
Mon, 4 May 2026 07:20:46 +0000 (10:20 +0300)
committerJohannes Berg <johannes.berg@intel.com>
Tue, 5 May 2026 10:10:15 +0000 (12:10 +0200)
In NAN, we don't know on what band the frame will be sent. Therefore we
set info->band to NUM_NL80211_BANDS. However, this leads to out-of-bound
access in ieee80211_add_tx_radiotap_header when we try to access the
sbands array.

Fix it by not accessing the array if the band is NUM_NL80211_BANDS.
This means that we will not report rate info for legacy rate in NAN.
But nobody really cares about it.

Reviewed-by: Ilan Peer <ilan.peer@intel.com>
Reviewed-by: Johannes Berg <johannes.berg@intel.com>
Signed-off-by: Miri Korenblit <miriam.rachel.korenblit@intel.com>
Link: https://patch.msgid.link/20260504101829.346c9893d136.I15919027597c04ec35c6217db6e52e2a605e5cfc@changeid
Signed-off-by: Johannes Berg <johannes.berg@intel.com>
net/mac80211/status.c patch | blob | blame | history

diff --git a/net/mac80211/status.c b/net/mac80211/status.c
index 4b38aa0e902a85be6af9b3a02d95803087295b1a..8716eda8317d165367e586514f383b2ae2efaf69 100644 (file)
--- a/net/mac80211/status.c
+++ b/net/mac80211/status.c
@@ -5,7 +5,7 @@
  * Copyright 2006-2007 Jiri Benc <jbenc@suse.cz>
  * Copyright 2008-2010 Johannes Berg <johannes@sipsolutions.net>
  * Copyright 2013-2014  Intel Mobile Communications GmbH
- * Copyright 2021-2025  Intel Corporation
+ * Copyright 2021-2026  Intel Corporation
  */
 
 #include <linux/export.h>
@@ -295,9 +295,10 @@ ieee80211_add_tx_radiotap_header(struct ieee80211_local *local,
                                                 RATE_INFO_FLAGS_VHT_MCS |
                                                 RATE_INFO_FLAGS_HE_MCS)))
                        legacy_rate = status_rate->rate_idx.legacy;
-       } else if (info->status.rates[0].idx >= 0 &&
-                !(info->status.rates[0].flags & (IEEE80211_TX_RC_MCS |
-                                                 IEEE80211_TX_RC_VHT_MCS))) {
+       } else if (info->band < NUM_NL80211_BANDS &&
+                  info->status.rates[0].idx >= 0 &&
+                  !(info->status.rates[0].flags & (IEEE80211_TX_RC_MCS |
+                                                   IEEE80211_TX_RC_VHT_MCS))) {
                struct ieee80211_supported_band *sband;
 
                sband = local->hw.wiphy->bands[info->band];
A mirror of Linus' kernel repository