wifi: rtlwifi: validate action frame size before using in _rtl_pci_tx_isr()

author Ping-Ke Shih <pkshih@realtek.com>

Tue, 14 Apr 2026 06:22:29 +0000 (14:22 +0800)

committer Ping-Ke Shih <pkshih@realtek.com>

Wed, 29 Apr 2026 03:01:06 +0000 (11:01 +0800)
author Ping-Ke Shih <pkshih@realtek.com>
Tue, 14 Apr 2026 06:22:29 +0000 (14:22 +0800)
committer Ping-Ke Shih <pkshih@realtek.com>
Wed, 29 Apr 2026 03:01:06 +0000 (11:01 +0800)
diff --git a/drivers/net/wireless/realtek/rtlwifi/pci.c b/drivers/net/wireless/realtek/rtlwifi/pci.c

index 9cc0a871ea3c1f62ad00cd0a0e7268446f002466..73018a0498b4b9f5881de97e7d0329c3c55ebc67 100644 (file)
--- a/drivers/net/wireless/realtek/rtlwifi/pci.c
+++ b/drivers/net/wireless/realtek/rtlwifi/pci.c
@@ -505,9 +505,10 @@ static void _rtl_pci_tx_isr(struct ieee80211_hw *hw, int prio)
                         }
                 }
                 if (ieee80211_is_action(fc)) {
-                       struct ieee80211_mgmt *action_frame =
-                               (struct ieee80211_mgmt *)skb->data;
-                       if (action_frame->u.action.action_code ==
+                       struct ieee80211_mgmt *action_frame = (void *)skb->data;
+
+                       if (skb->len >= IEEE80211_MIN_ACTION_SIZE(action_code) &&
+                           action_frame->u.action.action_code ==
                             WLAN_HT_ACTION_SMPS) {
                                 dev_kfree_skb(skb);
                                 goto tx_status_ok;
author	Ping-Ke Shih <pkshih@realtek.com>
	Tue, 14 Apr 2026 06:22:29 +0000 (14:22 +0800)
committer	Ping-Ke Shih <pkshih@realtek.com>
	Wed, 29 Apr 2026 03:01:06 +0000 (11:01 +0800)