From: Ping-Ke Shih <pkshih@realtek.com>
Date: Tue, 14 Apr 2026 06:22:29 +0000 (+0800)
Subject: wifi: rtlwifi: validate action frame size before using in _rtl_pci_tx_isr()
X-Git-Url: http://git.ipfire.org/gitweb/index.cgi?a=commitdiff_plain;h=043f09bb78ddb98dd5d587bf8fe4836daeb3a735;p=thirdparty%2Fkernel%2Flinux.git

wifi: rtlwifi: validate action frame size before using in _rtl_pci_tx_isr()

Since TX action frames might be malformed, validate the size before using.

Tested on RTL8723BE.

Signed-off-by: Ping-Ke Shih <pkshih@realtek.com>
Link: https://patch.msgid.link/20260414062229.21047-4-pkshih@realtek.com
---

diff --git a/drivers/net/wireless/realtek/rtlwifi/pci.c b/drivers/net/wireless/realtek/rtlwifi/pci.c
index 9cc0a871ea3c..73018a0498b4 100644
--- a/drivers/net/wireless/realtek/rtlwifi/pci.c
+++ b/drivers/net/wireless/realtek/rtlwifi/pci.c
@@ -505,9 +505,10 @@ static void _rtl_pci_tx_isr(struct ieee80211_hw *hw, int prio)
 			}
 		}
 		if (ieee80211_is_action(fc)) {
-			struct ieee80211_mgmt *action_frame =
-				(struct ieee80211_mgmt *)skb->data;
-			if (action_frame->u.action.action_code ==
+			struct ieee80211_mgmt *action_frame = (void *)skb->data;
+
+			if (skb->len >= IEEE80211_MIN_ACTION_SIZE(action_code) &&
+			    action_frame->u.action.action_code ==
 			    WLAN_HT_ACTION_SMPS) {
 				dev_kfree_skb(skb);
 				goto tx_status_ok;