Linux Kernel wl1251 Wireless Driver Packet ID Validation Vulnerability

A vulnerability exists in the Linux kernel's wl1251 wireless driver, specifically in the tx_packet_cb function. This issue arises because the function uses the firmware completion ID to directly index a fixed 16-entry transmission frame array without validating that the ID is within the appropriate range. As a result, there is a risk of accessing invalid memory, which could lead to undefined behavior. The vulnerability affects the Linux kernel stable tree.

Impact

The vulnerability could potentially allow for out-of-bounds memory access, leading to undefined behavior such as memory corruption or arbitrary code execution.

Reproduction

The vulnerability can be reproduced by sending a firmware completion ID that exceeds the valid range of the tx_frames array in the wl1251 wireless driver. This can be done by manipulating the ID in a way that it bypasses the current validation checks, allowing the callback to dereference an invalid index.

Remediation

The vulnerability has been addressed by adding validation to ensure that completion IDs are within the valid range before indexing the tx_frames array. Users should upgrade to the latest version of the Linux kernel where this fix has been applied.