]> git.ipfire.org Git - thirdparty/kernel/linux.git/commitdiff
projects / thirdparty / kernel / linux.git / commitdiff
? search:
summary | shortlog | log | commit | commitdiff | tree
raw | patch | inline | side by side (parent: 6e76e9e)
wifi: rtw89: add bounds check on firmware mac_id in link lookup
authorTristan Madani <tristan@talencesecurity.com>
Tue, 21 Apr 2026 11:14:42 +0000 (11:14 +0000)
committerPing-Ke Shih <pkshih@realtek.com>
Wed, 29 Apr 2026 05:34:14 +0000 (13:34 +0800)
The mac_id field in RX descriptors is 8 bits wide (0-255), but
assoc_link_on_macid[] has only RTW89_MAX_MAC_ID_NUM (128) entries.
While the driver currently assigns mac_id values below 128, the
descriptor value comes from firmware and is not validated before use
as an array index. Add a defensive bounds check in
rtw89_assoc_link_rcu_dereference() to guard against out-of-range
firmware values.

Fixes: 144c6cd24b35 ("wifi: rtw89: 8922a: configure AP_LINK_PS if FW supports")
Signed-off-by: Tristan Madani <tristan@talencesecurity.com>
Signed-off-by: Ping-Ke Shih <pkshih@realtek.com>
Link: https://patch.msgid.link/20260421111442.3395411-1-tristmd@gmail.com
drivers/net/wireless/realtek/rtw89/core.h patch | blob | blame | history

diff --git a/drivers/net/wireless/realtek/rtw89/core.h b/drivers/net/wireless/realtek/rtw89/core.h
index bf5585c701ade5bded6949d04792453bc56d3fa3..b290da650c7084ea7d80851effcc7968f8970831 100644 (file)
--- a/drivers/net/wireless/realtek/rtw89/core.h
+++ b/drivers/net/wireless/realtek/rtw89/core.h
@@ -6527,6 +6527,9 @@ static inline void rtw89_assoc_link_clr(struct rtw89_sta_link *rtwsta_link)
 static inline struct rtw89_sta_link *
 rtw89_assoc_link_rcu_dereference(struct rtw89_dev *rtwdev, u8 macid)
 {
+       if (unlikely(macid >= RTW89_MAX_MAC_ID_NUM))
+               return NULL;
+
        return rcu_dereference(rtwdev->assoc_link_on_macid[macid]);
 }
 
A mirror of Linus' kernel repository