diff options
| author |   Michael Bommarito <michael.bommarito@gmail.com> | 2026-05-15 11:17:18 -0400 |
|---|---|---|
| committer |   Johannes Berg <johannes.berg@intel.com> | 2026-05-20 11:20:37 +0200 |
| commit | a6e6ccd5bd07155c2add6c74ce1a5e68ad3b95ea (patch) | |
| tree | 274aff403cfe954a4c4e4f9466b64a03fa5aaf5c /tools/testing/selftests/dm-verity/git:/ssh:/git@git.zx2c4.com | |
| parent | wifi: wilc1000: fix dma_buffer leak on bus acquire failure (diff) | |
wifi: mac80211: consume only present negotiated TTLM maps
ieee80211_tid_to_link_map_size_ok() validates negotiated TTLM elements
against the number of link-map entries indicated by link_map_presence.
ieee80211_parse_neg_ttlm() must consume the same layout.
The parser advanced its cursor for every TID, including TIDs whose
presence bit is clear and therefore have no map bytes in the element.
A sparse map can then make a later present TID read past the validated
element.
The bad bytes land in neg_ttlm->{up,down}link[tid] but are gated by
valid_links before being applied to driver state, so a peer cannot
turn the read into a policy change. Under KUnit + KASAN with an
exact-sized element allocation the OOB read is reported as a
slab-out-of-bounds; whether the same trigger fires under the
production RX path depends on surrounding allocator state.
Advance the cursor only when the current TID has a map present.
Fixes: 8f500fbc6c65 ("wifi: mac80211: process and save negotiated TID to Link mapping request")
Cc: stable@vger.kernel.org
Assisted-by: Claude:claude-opus-4-7
Signed-off-by: Michael Bommarito <michael.bommarito@gmail.com>
Link: https://patch.msgid.link/20260515151719.1317659-2-michael.bommarito@gmail.com
Signed-off-by: Johannes Berg <johannes.berg@intel.com>
Diffstat (limited to 'tools/testing/selftests/dm-verity/git:/ssh:/git@git.zx2c4.com')
0 files changed, 0 insertions, 0 deletions