net80211: Fix subobject bounds issue in IEEE80211_IOC_CHANINFO

jrtc27 · brooksdavis · commit 2339ee891fe2 · 2025-04-02T09:09:10.000-07:00
We fault on the kernel access into the array after ic_nchans here which
manifests as EFAULT returned back to userspace.
diff --git a/sys/net80211/ieee80211_ioctl.c b/sys/net80211/ieee80211_ioctl.c
@@ -147,7 +147,8 @@ ieee80211_ioctl_getchaninfo(struct ieee80211vap *vap, struct ieee80211req *ireq)
 	if (space > ireq->i_len)
 		space = ireq->i_len;
 	/* XXX assumes compatible layout */
-	return copyout(&ic->ic_nchans, ireq->i_data, space);
+	return copyout((char *)ic + __offsetof(struct ieee80211com, ic_nchans),
+	    ireq->i_data, space);
 }
 
 static int

Original file line number	Diff line number	Diff line change
`@@ -147,7 +147,8 @@ ieee80211_ioctl_getchaninfo(struct ieee80211vap vap, struct ieee80211req ireq)`
`147`	`147`	`if (space > ireq->i_len)`
`148`	`148`	`space = ireq->i_len;`
`149`	`149`	`/* XXX assumes compatible layout */`
`150`		`- return copyout(&ic->ic_nchans, ireq->i_data, space);`
	`150`	`+ return copyout((char *)ic + __offsetof(struct ieee80211com, ic_nchans),`
	`151`	`+ ireq->i_data, space);`
`151`	`152`	`}`
`152`	`153`
`153`	`154`	`static int`