[PATCH v2 2/2] wifi: b43: fix OOB read from hardware key index in b43_rx()

[Tristan Madani]

From: Tristan Madani <tristan at talencesecurity.com>

The firmware-controlled key index in b43_rx() can exceed the dev->key[]
array size (58 entries). The existing B43_WARN_ON is non-enforcing in
production builds, allowing an out-of-bounds read of 1 byte from struct
b43_firmware. A non-zero OOB value causes RX_FLAG_DECRYPTED to be
incorrectly set on un-decrypted frames.

Replace with an enforcing check that skips the key lookup for invalid
indices.

Fixes: e4d6b7951812 ("[B43]: add mac80211-based driver for modern BCM43xx devices")
Signed-off-by: Tristan Madani <tristan at talencesecurity.com>
---
drivers/net/wireless/broadcom/b43/xmit.c | 5 ++++-
 1 file changed, 4 insertions(+), 1 deletion(-)

diff --git a/drivers/net/wireless/broadcom/b43/xmit.c b/drivers/net/wireless/broadcom/b43/xmit.c
index XXXXXXX..XXXXXXX 100644
--- a/drivers/net/wireless/broadcom/b43/xmit.c
+++ b/drivers/net/wireless/broadcom/b43/xmit.c
@@ -704,7 +704,10 @@ void b43_rx(struct b43_wldev *dev, struct sk_buff *skb, const void *_rxhdr)
 		 */
 		keyidx = b43_kidx_to_raw(dev, keyidx);
-		B43_WARN_ON(keyidx >= ARRAY_SIZE(dev->key));
+		if (keyidx >= ARRAY_SIZE(dev->key)) {
+			b43dbg(dev->wl, "RX: invalid key index %u\n", keyidx);
+			goto drop;
+		}

 		if (dev->key[keyidx].algorithm != B43_SEC_ALGO_NONE) {
 			wlhdr_len = ieee80211_hdrlen(fctl);