[PATCH v2 2/2] wifi: b43: fix OOB read from hardware key index in b43_rx()

Thu Apr 16 09:35:54 PDT 2026

On Thu, 16 Apr 2026 08:34:11 +0200
Jonas Gorski <jonas.gorski at gmail.com> wrote:
> > diff --git a/drivers/net/wireless/broadcom/b43/xmit.c b/drivers/net/wireless/broadcom/b43/xmit.c
> > index XXXXXXX..XXXXXXX 100644
> > --- a/drivers/net/wireless/broadcom/b43/xmit.c
> > +++ b/drivers/net/wireless/broadcom/b43/xmit.c
> > @@ -704,7 +704,10 @@ void b43_rx(struct b43_wldev *dev, struct sk_buff *skb, const void *_rxhdr)
> >                  */
> >                 keyidx = b43_kidx_to_raw(dev, keyidx);
> > -               B43_WARN_ON(keyidx >= ARRAY_SIZE(dev->key));
> > +               if (keyidx >= ARRAY_SIZE(dev->key)) {
> > +                       b43dbg(dev->wl, "RX: invalid key index %u\n", keyidx);
> > +                       goto drop;
> > +               }  
> 
> B43_WARN_ON() returns the condition's result, so if you keep it you
> can shorten this to
> 
> if (B43_WARN_ON(keyidx >= ARRAY_SIZE(dev->key)))
>         goto drop;

Acked-by: Michael Büsch <m at bues.ch>

Please also check the b43legacy driver. It may contain exactly the same code.

-- 
Michael Büsch
https://bues.ch/
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 833 bytes
Desc: OpenPGP digital signature
URL: <http://lists.infradead.org/pipermail/b43-dev/attachments/20260416/0d7d5a32/attachment.sig>