wifi: brcmfmac: validate bsscfg indices in IF events

brcmf_fweh_handle_if_event() validates the firmware-provided interface index before it touches drvr->iflist[], but it still uses the raw bsscfgidx field as an array index without a matching range check. Reject IF events whose bsscfg index does not fit in drvr->iflist[] before indexing the interface array. Signed-off-by: Pengpeng Hou <pengpeng@iscas.ac.cn> Acked-by: Arend van Spriel <arend.vanspriel@broadcom.com> Link: https://patch.msgid.link/20260323074551.93530-1-pengpeng@iscas.ac.cn [add missing wifi prefix] Signed-off-by: Johannes Berg <johannes.berg@intel.com>
author: Pengpeng Hou <pengpeng@iscas.ac.cn> 2026-03-23 15:45:51 +0800
committer: Johannes Berg <johannes.berg@intel.com> 2026-04-07 12:34:20 +0200
commit: 304950a467d83678bd0b0f46331882e2ac23b12d (patch)
tree: 17be601347dfbd373edebde52fa08e45ed8820fc /drivers
parent: 12cd7632757a54ce586e36040210b1a738a0fc53 (diff)
1 files changed, 5 insertions, 0 deletions
diff --git a/drivers/net/wireless/broadcom/brcm80211/brcmfmac/fweh.c b/drivers/net/wireless/broadcom/brcm80211/brcmfmac/fweh.c
index 984886481f4e..1cff4ba76943 100644
--- a/drivers/net/wireless/broadcom/brcm80211/brcmfmac/fweh.c
+++ b/drivers/net/wireless/broadcom/brcm80211/brcmfmac/fweh.c
@@ -153,6 +153,11 @@ static void brcmf_fweh_handle_if_event(struct brcmf_pub *drvr,
 		bphy_err(drvr, "invalid interface index: %u\n", ifevent->ifidx);
 		return;
 	}
+	if (ifevent->bsscfgidx >= BRCMF_MAX_IFS) {
+		bphy_err(drvr, "invalid bsscfg index: %u\n",
+			 ifevent->bsscfgidx);
+		return;
+	}
 
 	ifp = drvr->iflist[ifevent->bsscfgidx];
author	Pengpeng Hou <pengpeng@iscas.ac.cn>	2026-03-23 15:45:51 +0800
committer	Johannes Berg <johannes.berg@intel.com>	2026-04-07 12:34:20 +0200
commit	304950a467d83678bd0b0f46331882e2ac23b12d (patch)
tree	17be601347dfbd373edebde52fa08e45ed8820fc /drivers
parent	12cd7632757a54ce586e36040210b1a738a0fc53 (diff)