wifi: mt76: mt7996: Fix possible oob access in mt7996_mac_write_txwi_80211()

[ Upstream commit 60862846308627e9e15546bb647a00de44deb27b ] Check frame length before accessing the mgmt fields in mt7996_mac_write_txwi_80211 in order to avoid a possible oob access. Fixes: 98686cd21624c ("wifi: mt76: mt7996: add driver for MediaTek Wi-Fi 7 (802.11be) devices") Signed-off-by: Lorenzo Bianconi <lorenzo@kernel.org> Link: https://patch.msgid.link/20260226-mt76-addba-req-oob-access-v1-1-b0f6d1ad4850@kernel.org Signed-off-by: Johannes Berg <johannes.berg@intel.com> Signed-off-by: Sasha Levin <sashal@kernel.org>
author: Lorenzo Bianconi <lorenzo@kernel.org> 2026-02-26 20:11:14 +0100
committer: Sasha Levin <sashal@kernel.org> 2026-03-12 07:09:51 -0400
commit: 45661d22639c4b747ef1bd0822b8e76e421a808a (patch)
tree: 7625244cc2474f1de5733453a809553c93c11d45 /drivers/net
parent: 1a1c28a08d74716f3f8e3a21c86b30d0ff13521a (diff)
1 files changed, 1 insertions, 0 deletions
diff --git a/drivers/net/wireless/mediatek/mt76/mt7996/mac.c b/drivers/net/wireless/mediatek/mt76/mt7996/mac.c
index 2560e2f46e89..d4f3ee943b47 100644
--- a/drivers/net/wireless/mediatek/mt76/mt7996/mac.c
+++ b/drivers/net/wireless/mediatek/mt76/mt7996/mac.c
@@ -800,6 +800,7 @@ mt7996_mac_write_txwi_80211(struct mt7996_dev *dev, __le32 *txwi,
 	u32 val;
 
 	if (ieee80211_is_action(fc) &&
+	    skb->len >= IEEE80211_MIN_ACTION_SIZE + 1 &&
 	    mgmt->u.action.category == WLAN_CATEGORY_BACK &&
 	    mgmt->u.action.u.addba_req.action_code == WLAN_ACTION_ADDBA_REQ) {
 		if (is_mt7990(&dev->mt76))
author	Lorenzo Bianconi <lorenzo@kernel.org>	2026-02-26 20:11:14 +0100
committer	Sasha Levin <sashal@kernel.org>	2026-03-12 07:09:51 -0400
commit	45661d22639c4b747ef1bd0822b8e76e421a808a (patch)
tree	7625244cc2474f1de5733453a809553c93c11d45 /drivers/net
parent	1a1c28a08d74716f3f8e3a21c86b30d0ff13521a (diff)