mt76 WiFi Frame OOB

Vulnerability analysis

Root Cause: The mt7925_mac_write_txwi_80211() function accesses management frame fields (mgmt->u.action.category and mgmt->u.action.u.addba_req.action_code) without first validating that the skb buffer contains sufficient data. When processing 802.11 action frames, the code assumes the frame is at least large enough to contain the action category and ADDBA request fields, but malformed or truncated frames could cause out-of-bounds memory access.

Attack Surface: This vulnerability affects systems with MediaTek MT7925 WiFi chips when processing incoming 802.11 management frames. An attacker within wireless range could send specially crafted action frames with insufficient length to trigger the out-of-bounds read. The attack requires the ability to send raw 802.11 frames to the vulnerable device.

Fix Mechanism: The patch adds a length check 'skb->len >= IEEE80211_MIN_ACTION_SIZE + 1' before accessing the management frame fields. This ensures the buffer contains at least the minimum required bytes for an action frame plus one additional byte for the action code field, preventing out-of-bounds reads when processing malformed WiFi frames.