Commit c701574c authored Jun 12, 2025 by Michael Lo Committed by Felix Fietkau Jul 07, 2025

wifi: mt76: mt7925: fix invalid array index in ssid assignment during hw scan

Update the destination index to use 'n_ssids', which is incremented only
when a valid SSID is present. Previously, both mt76_connac_mcu_hw_scan()
and mt7925_mcu_hw_scan() used the loop index 'i' for the destination
array, potentially leaving gaps if any source SSIDs had zero length.

Cc: stable@vger.kernel.org
Fixes: c948b5da ("wifi: mt76: mt7925: add Mediatek Wi-Fi7 driver for mt7925 chips")
Signed-off-by: Michael Lo <michael.lo@mediatek.com>
Signed-off-by: Ming Yen Hsieh <mingyen.hsieh@mediatek.com>
Link: https://patch.msgid.link/20250612062046.160598-1-mingyen.hsieh@mediatek.com

Signed-off-by: Felix Fietkau <nbd@nbd.name>

parent d20de553

drivers/net/wireless/mediatek/mt76/mt76_connac_mcu.c

+2 −2

Original line number	Diff line number	Diff line
		@@ -1740,8 +1740,8 @@ int mt76_connac_mcu_hw_scan(struct mt76_phy phy, struct ieee80211_vif vif,
		if (!sreq->ssids[i].ssid_len)
		continue;

		req->ssids[i].ssid_len = cpu_to_le32(sreq->ssids[i].ssid_len);
		memcpy(req->ssids[i].ssid, sreq->ssids[i].ssid,
		req->ssids[n_ssids].ssid_len = cpu_to_le32(sreq->ssids[i].ssid_len);
		memcpy(req->ssids[n_ssids].ssid, sreq->ssids[i].ssid,
		sreq->ssids[i].ssid_len);
		n_ssids++;
		}

drivers/net/wireless/mediatek/mt76/mt7925/mcu.c

+2 −2

Original line number	Diff line number	Diff line
		@@ -2869,8 +2869,8 @@ int mt7925_mcu_hw_scan(struct mt76_phy phy, struct ieee80211_vif vif,
		if (i > MT7925_RNR_SCAN_MAX_BSSIDS)
		break;

		ssid->ssids[i].ssid_len = cpu_to_le32(sreq->ssids[i].ssid_len);
		memcpy(ssid->ssids[i].ssid, sreq->ssids[i].ssid,
		ssid->ssids[n_ssids].ssid_len = cpu_to_le32(sreq->ssids[i].ssid_len);
		memcpy(ssid->ssids[n_ssids].ssid, sreq->ssids[i].ssid,
		sreq->ssids[i].ssid_len);
		n_ssids++;
		}