wifi: mt76: Fix possible oob access in mt76_connac2_mac_write_txwi_80211()

[ Upstream commit 4e10a730d1b511ff49723371ed6d694dd1b2c785 ] Check frame length before accessing the mgmt fields in mt76_connac2_mac_write_txwi_80211 in order to avoid a possible oob access. Fixes: 577dbc6c656d ("mt76: mt7915: enable offloading of sequence number assignment") Signed-off-by: Lorenzo Bianconi <lorenzo@kernel.org> Link: https://patch.msgid.link/20260226-mt76-addba-req-oob-access-v1-3-b0f6d1ad4850@kernel.org [fix check to also cover mgmt->u.action.u.addba_req.capab, correct Fixes tag] Signed-off-by: Johannes Berg <johannes.berg@intel.com> Signed-off-by: Sasha Levin <sashal@kernel.org>
author: Lorenzo Bianconi <lorenzo@kernel.org> 2026-02-26 20:11:16 +0100
committer: Sasha Levin <sashal@kernel.org> 2026-03-12 07:09:51 -0400
commit: 0fb3b94a9431a3800717e5c3b6fa2e1045a15029 (patch)
tree: a0c42771b83d766cbcc0eb462287cef8b9567b02 /drivers/net
parent: 22a6419a8b955df81082285543be3e61816c49b5 (diff)
1 files changed, 1 insertions, 0 deletions
diff --git a/drivers/net/wireless/mediatek/mt76/mt76_connac_mac.c b/drivers/net/wireless/mediatek/mt76/mt76_connac_mac.c
index 3304b5971be0..b41ca1410da9 100644
--- a/drivers/net/wireless/mediatek/mt76/mt76_connac_mac.c
+++ b/drivers/net/wireless/mediatek/mt76/mt76_connac_mac.c
@@ -413,6 +413,7 @@ mt76_connac2_mac_write_txwi_80211(struct mt76_dev *dev, __le32 *txwi,
 	u32 val;
 
 	if (ieee80211_is_action(fc) &&
+	    skb->len >= IEEE80211_MIN_ACTION_SIZE + 1 + 1 + 2 &&
 	    mgmt->u.action.category == WLAN_CATEGORY_BACK &&
 	    mgmt->u.action.u.addba_req.action_code == WLAN_ACTION_ADDBA_REQ) {
 		u16 capab = le16_to_cpu(mgmt->u.action.u.addba_req.capab);
author	Lorenzo Bianconi <lorenzo@kernel.org>	2026-02-26 20:11:16 +0100
committer	Sasha Levin <sashal@kernel.org>	2026-03-12 07:09:51 -0400
commit	0fb3b94a9431a3800717e5c3b6fa2e1045a15029 (patch)
tree	a0c42771b83d766cbcc0eb462287cef8b9567b02 /drivers/net
parent	22a6419a8b955df81082285543be3e61816c49b5 (diff)