From: Miri Korenblit Date: Mon, 4 May 2026 07:20:46 +0000 (+0300) Subject: wifi: mac80211: avoid out-of-bounds access in monitor X-Git-Url: http://git.ipfire.org/gitweb/index.cgi?a=commitdiff_plain;h=03c41203ee5a833a9d7a7630be190830cede29d8;p=thirdparty%2Fkernel%2Flinux.git wifi: mac80211: avoid out-of-bounds access in monitor In NAN, we don't know on what band the frame will be sent. Therefore we set info->band to NUM_NL80211_BANDS. However, this leads to out-of-bound access in ieee80211_add_tx_radiotap_header when we try to access the sbands array. Fix it by not accessing the array if the band is NUM_NL80211_BANDS. This means that we will not report rate info for legacy rate in NAN. But nobody really cares about it. Reviewed-by: Ilan Peer Reviewed-by: Johannes Berg Signed-off-by: Miri Korenblit Link: https://patch.msgid.link/20260504101829.346c9893d136.I15919027597c04ec35c6217db6e52e2a605e5cfc@changeid Signed-off-by: Johannes Berg --- diff --git a/net/mac80211/status.c b/net/mac80211/status.c index 4b38aa0e902a..8716eda8317d 100644 --- a/net/mac80211/status.c +++ b/net/mac80211/status.c @@ -5,7 +5,7 @@ * Copyright 2006-2007 Jiri Benc * Copyright 2008-2010 Johannes Berg * Copyright 2013-2014 Intel Mobile Communications GmbH - * Copyright 2021-2025 Intel Corporation + * Copyright 2021-2026 Intel Corporation */ #include @@ -295,9 +295,10 @@ ieee80211_add_tx_radiotap_header(struct ieee80211_local *local, RATE_INFO_FLAGS_VHT_MCS | RATE_INFO_FLAGS_HE_MCS))) legacy_rate = status_rate->rate_idx.legacy; - } else if (info->status.rates[0].idx >= 0 && - !(info->status.rates[0].flags & (IEEE80211_TX_RC_MCS | - IEEE80211_TX_RC_VHT_MCS))) { + } else if (info->band < NUM_NL80211_BANDS && + info->status.rates[0].idx >= 0 && + !(info->status.rates[0].flags & (IEEE80211_TX_RC_MCS | + IEEE80211_TX_RC_VHT_MCS))) { struct ieee80211_supported_band *sband; sband = local->hw.wiphy->bands[info->band];