wifi: mac80211: clear frame buffer to never leak stack

In disconnect paths paths, local frame buffers are used
to build deauthentication frames to send them over the
air and as notifications to userspace. Some internal
error paths (that, given no other bugs, cannot happen)
don't always initialize the buffers before sending them
to userspace, so in the presence of other bugs they can
leak stack content. Initialize the buffers to avoid the
possibility of this happening.

Suggested-by: Zhongqiu Han <quic_zhonhan@quicinc.com>
Link: https://patch.msgid.link/20250701072213.13004-2-johannes@sipsolutions.net
Signed-off-by: Johannes Berg <johannes.berg@intel.com>

diff --git a/net/mac80211/mlme.c b/net/mac80211/mlme.c
index 7ddb8e77b4c73264bdd48422c231d8ed73f6d647..d26dcee5683abd8b7ac8d41821619cd99ebbc1a8 100644 (file)
--- a/net/mac80211/mlme.c
+++ b/net/mac80211/mlme.c
@@ -3934,6 +3934,9 @@ static void ieee80211_set_disassoc(struct ieee80211_sub_if_data *sdata,
 
        lockdep_assert_wiphy(local->hw.wiphy);
 
+       if (frame_buf)
+               memset(frame_buf, 0, IEEE80211_DEAUTH_FRAME_LEN);
+
        if (WARN_ON(!ap_sta))
                return;