[PATCH] wifi: wilc1000: fix u8 overflow in SSID scan buffer size calculation

Next message: Thomas Wei&#xDF;schuh: "Re: [PATCH] arm64: vdso: fix AArch32 compat init allocation leaks"
Previous message: Konrad Dybcio: "Re: [PATCH 12/16] drm/msm/a6xx: Add SKU detection support for X2-85"
Next in thread: Jeff Johnson: "Re: [PATCH] wifi: wilc1000: fix u8 overflow in SSID scan buffer size calculation"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

From: Yasuaki Torimaru

Date: Tue Mar 24 2026 - 06:21:38 EST

The variable valuesize is declared as u8 but accumulates the total
length of all SSIDs to scan. Each SSID contributes up to 33 bytes
(IEEE80211_MAX_SSID_LEN + 1), and with WILC_MAX_NUM_PROBED_SSID (10)
SSIDs the total can reach 330, which wraps around to 74 when stored
in a u8.

This causes kmalloc to allocate only 75 bytes while the subsequent
memcpy writes up to 331 bytes into the buffer, resulting in a 256-byte
heap buffer overflow.

Widen valuesize from u8 to u32 to accommodate the full range.

Fixes: c5c77ba18ea6 ("staging: wilc1000: Add SDIO/SPI 802.11 driver")
Cc: stable@xxxxxxxxxxxxxxx
Signed-off-by: Yasuaki Torimaru <yasuakitorimaru@xxxxxxxxx>
---
drivers/net/wireless/microchip/wilc1000/hif.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/drivers/net/wireless/microchip/wilc1000/hif.c b/drivers/net/wireless/microchip/wilc1000/hif.c
index f354b11cb919..944b2a812b63 100644
--- a/drivers/net/wireless/microchip/wilc1000/hif.c
+++ b/drivers/net/wireless/microchip/wilc1000/hif.c
@@ -163,7 +163,7 @@ int wilc_scan(struct wilc_vif *vif, u8 scan_source,
u32 index = 0;
u32 i, scan_timeout;
u8 *buffer;
- u8 valuesize = 0;
+ u32 valuesize = 0;
u8 *search_ssid_vals = NULL;
const u8 ch_list_len = request->n_channels;
struct host_if_drv *hif_drv = vif->hif_drv;
--
2.50.1