| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <20251112163750463kAkOIyBxvHkYWh9Cgdypb@zte.com.cn>
Date: Wed, 12 Nov 2025 16:37:50 +0800 (CST)
From: <xu.xin16@....com.cn>
To: <johannes@...solutions.net>
Cc: <kees@...nel.org>, <concord@...too.org>, <linux-wireless@...r.kernel.org>,
<linux-kernel@...r.kernel.org>, <qiu.yutan@....com.cn>
Subject: wifi: mac80211: make n_channels updated absolutely before accessing channels[]
From: xu xin <xu.xin16@....com.cn>
The commit 2663d0462eb3 ("wifi: mac80211: Avoid address calculations via out of
bounds array indexing") said that req->n_channels must be set before
req->channels[] can be used. But there's still the case that req.channels
accessing was prior to n_channels++.
This does not fix any visible bug, just making n_channels updated before
accessing channels[] absolutely, to avoid potential UBSAN out of indexing
warning.
Fixes: 2663d0462eb3 ("wifi: mac80211: Avoid address calculations via out of bounds array indexing")
Signed-off-by: xu xin <xu.xin16@....com.cn>
---
net/mac80211/scan.c | 4 +++-
1 file changed, 3 insertions(+), 1 deletion(-)
diff --git a/net/mac80211/scan.c b/net/mac80211/scan.c
index 5ef315ed3b0f..86bd85ac36be 100644
--- a/net/mac80211/scan.c
+++ b/net/mac80211/scan.c
@@ -406,7 +406,9 @@ static bool ieee80211_prep_hw_scan(struct ieee80211_sub_if_data *sdata)
if (req->channels[i]->band !=
local->hw_scan_band)
continue;
- local->hw_scan_req->req.channels[(*n_chans)++] =
+ (*n_chans)++;
+ /* Use *n_chans - 1 to access the index that was valid before incrementing */
+ local->hw_scan_req->req.channels[*n_chans - 1] =
req->channels[i];
bands_used |= BIT(req->channels[i]->band);
--
2.25.1
Powered by blists - more mailing lists