iwl_mld_netdetect_match_info_handler() validates the firmware notification length against sizeof(*notif) (the fixed-header size of struct iwl_scan_offload_match_info, 24 bytes) but then immediately memcpys NETDETECT_QUERY_BUF_LEN bytes from notif->matches: if (IWL_FW_CHECK(mld, len < sizeof(*notif), "Invalid scan offload match notif of length: %d\n", len)) return true; ... if (results->matched_profiles) memcpy(results->matches, notif->matches, NETDETECT_QUERY_BUF_LEN); NETDETECT_QUERY_BUF_LEN is (sizeof(struct iwl_scan_offload_profile_match) * IWL_SCAN_MAX_PROFILES_V2) = 18 * 8 = 144 bytes so a firmware-emitted notif sized at exactly sizeof(*notif) (24 bytes) satisfies the guard yet the memcpy reads 144 bytes past the slab-allocated notification buffer. Reproduced under UML+KASAN via a KUnit harness that lifts the length-validation + memcpy logic into a self-contained test. KASAN reports BUG: KASAN: slab-out-of-bounds in mld_match_info_buggy.constprop.0 Read of size 144 at addr ... Building drivers/net/wireless/intel/iwlwifi/mld/d3.o under x86_64 allmodconfig with the fix applied yields no new warnings. This is the same bug shape as the previously fixed sibling commit 744fabc338e8 ("wifi: iwlwifi: mvm: fix potential out-of-bounds read in iwl_mvm_nd_match_info_handler()") applied to the mvm peer function. The mld driver was added in February 2025 and inherited the same length-check miss; apply the same correction shape. Cc: stable@vger.kernel.org Fixes: d1e879ec600f ("wifi: iwlwifi: add iwlmld sub-driver") Signed-off-by: Michael Bommarito Assisted-by: Claude:claude-opus-4-7 --- drivers/net/wireless/intel/iwlwifi/mld/d3.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/drivers/net/wireless/intel/iwlwifi/mld/d3.c b/drivers/net/wireless/intel/iwlwifi/mld/d3.c index ef98efc8fb1b..e89ec531cb06 100644 --- a/drivers/net/wireless/intel/iwlwifi/mld/d3.c +++ b/drivers/net/wireless/intel/iwlwifi/mld/d3.c @@ -1128,7 +1128,7 @@ iwl_mld_netdetect_match_info_handler(struct iwl_mld *mld, mld->netdetect)) return true; - if (IWL_FW_CHECK(mld, len < sizeof(*notif), + if (IWL_FW_CHECK(mld, len < sizeof(*notif) + NETDETECT_QUERY_BUF_LEN, "Invalid scan offload match notif of length: %d\n", len)) return true; -- 2.53.0