Commit a2c4324
drivers: wifi: nrf_wifi: Validate PS event TWT flow count and length
Reject malformed nrf_wifi_umac_event_power_save_info payloads before
copying TWT entries into struct wifi_ps_config. The handler previously
trusted num_twt_flows and indexed twt_flow_info[] without checking
WIFI_MAX_TWT_FLOWS or event_len, which could overflow the fixed Zephyr
twt_flows buffer and read past the event buffer.
Fix issue zephyrproject-rtos#108848.
Signed-off-by: Chaitanya Tata <Chaitanya.Tata@nordicsemi.no>
Assisted-by: Cursor:Auto1 parent 71e7b15 commit a2c4324
1 file changed
Lines changed: 25 additions & 0 deletions
| Original file line number | Diff line number | Diff line change | |
|---|---|---|---|
| |||
9 | 9 | | |
10 | 10 | | |
11 | 11 | | |
| 12 | + | |
12 | 13 | | |
13 | 14 | | |
14 | 15 | | |
| |||
383 | 384 | | |
384 | 385 | | |
385 | 386 | | |
| 387 | + | |
| 388 | + | |
386 | 389 | | |
387 | 390 | | |
388 | 391 | | |
389 | 392 | | |
390 | 393 | | |
391 | 394 | | |
392 | 395 | | |
| 396 | + | |
| 397 | + | |
| 398 | + | |
| 399 | + | |
| 400 | + | |
| 401 | + | |
| 402 | + | |
| 403 | + | |
| 404 | + | |
| 405 | + | |
| 406 | + | |
| 407 | + | |
| 408 | + | |
| 409 | + | |
| 410 | + | |
| 411 | + | |
| 412 | + | |
| 413 | + | |
| 414 | + | |
| 415 | + | |
| 416 | + | |
| 417 | + | |
393 | 418 | | |
394 | 419 | | |
395 | 420 | | |
| |||
0 commit comments