drivers/net/wireless/broadcom/brcm80211/brcmfmac/fweh.c | 5 +++++ 1 file changed, 5 insertions(+)
brcmf_fweh_handle_if_event() validates the firmware-provided interface
index before it touches drvr->iflist[], but it still uses the raw
bsscfgidx field as an array index without a matching range check.
Reject IF events whose bsscfg index does not fit in drvr->iflist[]
before indexing the interface array.
Signed-off-by: Pengpeng Hou <pengpeng@iscas.ac.cn>
---
drivers/net/wireless/broadcom/brcm80211/brcmfmac/fweh.c | 5 +++++
1 file changed, 5 insertions(+)
diff --git a/drivers/net/wireless/broadcom/brcm80211/brcmfmac/fweh.c b/drivers/net/wireless/broadcom/brcm80211/brcmfmac/fweh.c
index 984886481f4e..1cff4ba76943 100644
--- a/drivers/net/wireless/broadcom/brcm80211/brcmfmac/fweh.c
+++ b/drivers/net/wireless/broadcom/brcm80211/brcmfmac/fweh.c
@@ -153,6 +153,11 @@ static void brcmf_fweh_handle_if_event(struct brcmf_pub *drvr,
bphy_err(drvr, "invalid interface index: %u\n", ifevent->ifidx);
return;
}
+ if (ifevent->bsscfgidx >= BRCMF_MAX_IFS) {
+ bphy_err(drvr, "invalid bsscfg index: %u\n",
+ ifevent->bsscfgidx);
+ return;
+ }
ifp = drvr->iflist[ifevent->bsscfgidx];
--
2.50.1 (Apple Git-155)On 23/03/2026 08:45, Pengpeng Hou wrote: > brcmf_fweh_handle_if_event() validates the firmware-provided interface > index before it touches drvr->iflist[], but it still uses the raw > bsscfgidx field as an array index without a matching range check. > > Reject IF events whose bsscfg index does not fit in drvr->iflist[] > before indexing the interface array. Acked-by: Arend van Spriel <arend.vanspriel@broadcom.com> > Signed-off-by: Pengpeng Hou <pengpeng@iscas.ac.cn> > --- > drivers/net/wireless/broadcom/brcm80211/brcmfmac/fweh.c | 5 +++++ > 1 file changed, 5 insertions(+)
© 2016 - 2026 Red Hat, Inc.