* [PATCH v3 0/3] wifi: carl9170: firmware trust boundary hardening
@ 2026-04-21 13:49 Tristan Madani
2026-04-21 13:49 ` [PATCH v3 1/3] wifi: carl9170: bound memcpy length in cmd callback to prevent OOB read Tristan Madani
` (3 more replies)
0 siblings, 4 replies; 10+ messages in thread
From: Tristan Madani @ 2026-04-21 13:49 UTC (permalink / raw)
To: Christian Lamparter
Cc: Johannes Berg, linux-wireless, linux-kernel, Tristan Madani
From: Tristan Madani <tristan@talencesecurity.com>
This series adds missing bounds checks for firmware-controlled fields
in the carl9170 USB driver.
Patch 1 bounds the cmd callback memcpy to prevent heap overflow from
an oversized firmware response. Patch 2 fixes an off-by-two in the TX
status handler. Patch 3 caps the failover copy to rx_failover_missing
bytes, using min_t per Christian Lamparter.
Changes in v3:
- Regenerated from wireless-next with proper git format-patch.
Changes in v2:
- Use min_t() instead of separate if-check in patch 3, per
Christian Lamparter.
Tristan Madani (3):
wifi: carl9170: bound memcpy length in cmd callback to prevent OOB
read
wifi: carl9170: fix OOB read from off-by-two in TX status handler
wifi: carl9170: fix buffer overflow in rx_stream failover path
drivers/net/wireless/ath/carl9170/rx.c | 7 +++++--
drivers/net/wireless/ath/carl9170/tx.c | 2 +-
2 files changed, 6 insertions(+), 3 deletions(-)
--
2.47.3
^ permalink raw reply [flat|nested] 10+ messages in thread
* [PATCH v3 1/3] wifi: carl9170: bound memcpy length in cmd callback to prevent OOB read
2026-04-21 13:49 [PATCH v3 0/3] wifi: carl9170: firmware trust boundary hardening Tristan Madani
@ 2026-04-21 13:49 ` Tristan Madani
2026-07-04 19:48 ` Christian Lamparter
2026-04-21 13:49 ` [PATCH v3 2/3] wifi: carl9170: fix OOB read from off-by-two in TX status handler Tristan Madani
` (2 subsequent siblings)
3 siblings, 1 reply; 10+ messages in thread
From: Tristan Madani @ 2026-04-21 13:49 UTC (permalink / raw)
To: Christian Lamparter
Cc: Johannes Berg, linux-wireless, linux-kernel, Tristan Madani
From: Tristan Madani <tristan@talencesecurity.com>
When the firmware sends a command response with a length mismatch,
carl9170_cmd_callback() logs the mismatch and calls carl9170_restart()
but then falls through to memcpy(ar->readbuf, buffer + 4, len - 4).
Since len comes from the firmware and can exceed ar->readlen, this
copies more data than the readbuf was allocated for.
Bound the memcpy to min(len - 4, ar->readlen) so that the response
is still completed -- avoiding repeated restarts from queued garbage --
while preventing an overread past the response buffer.
Fixes: a84fab3cbfdc ("carl9170: 802.11 rx/tx processing and usb backend")
Signed-off-by: Tristan Madani <tristan@talencesecurity.com>
---
Changes in v3:
- Regenerated from wireless-next with proper git format-patch to
produce valid index hashes (v2 had post-processed index lines).
Changes in v2:
- No code changes from v1.
drivers/net/wireless/ath/carl9170/rx.c | 3 ++-
1 file changed, 2 insertions(+), 1 deletion(-)
diff --git a/drivers/net/wireless/ath/carl9170/rx.c b/drivers/net/wireless/ath/carl9170/rx.c
index 6833430130f4c..f6855efc05c0f 100644
--- a/drivers/net/wireless/ath/carl9170/rx.c
+++ b/drivers/net/wireless/ath/carl9170/rx.c
@@ -150,7 +150,8 @@ static void carl9170_cmd_callback(struct ar9170 *ar, u32 len, void *buffer)
spin_lock(&ar->cmd_lock);
if (ar->readbuf) {
if (len >= 4)
- memcpy(ar->readbuf, buffer + 4, len - 4);
+ memcpy(ar->readbuf, buffer + 4,
+ min_t(u32, len - 4, ar->readlen));
ar->readbuf = NULL;
}
--
2.47.3
^ permalink raw reply related [flat|nested] 10+ messages in thread
* [PATCH v3 2/3] wifi: carl9170: fix OOB read from off-by-two in TX status handler
2026-04-21 13:49 [PATCH v3 0/3] wifi: carl9170: firmware trust boundary hardening Tristan Madani
2026-04-21 13:49 ` [PATCH v3 1/3] wifi: carl9170: bound memcpy length in cmd callback to prevent OOB read Tristan Madani
@ 2026-04-21 13:49 ` Tristan Madani
2026-07-04 19:48 ` Christian Lamparter
2026-04-21 13:49 ` [PATCH v3 3/3] wifi: carl9170: fix buffer overflow in rx_stream failover path Tristan Madani
2026-07-01 17:47 ` [PATCH v3 0/3] wifi: carl9170: firmware trust boundary hardening Jeff Johnson
3 siblings, 1 reply; 10+ messages in thread
From: Tristan Madani @ 2026-04-21 13:49 UTC (permalink / raw)
To: Christian Lamparter
Cc: Johannes Berg, linux-wireless, linux-kernel, Tristan Madani
From: Tristan Madani <tristan@talencesecurity.com>
The bounds check in carl9170_tx_process_status() uses
`i > ((cmd->hdr.len / 2) + 1)` which is off by two, allowing
2 extra iterations past valid _tx_status entries when the firmware-
controlled hdr.ext exceeds hdr.len/2. Fix by using the correct
comparison `i >= (cmd->hdr.len / 2)`.
Fixes: a84fab3cbfdc ("carl9170: 802.11 rx/tx processing and usb backend")
Signed-off-by: Tristan Madani <tristan@talencesecurity.com>
---
Changes in v3:
- Regenerated from wireless-next with proper git format-patch to
produce valid index hashes (v2 had post-processed index lines).
Changes in v2:
- No code changes from v1.
drivers/net/wireless/ath/carl9170/tx.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/drivers/net/wireless/ath/carl9170/tx.c b/drivers/net/wireless/ath/carl9170/tx.c
index 59caf1e4b1589..06aaf281655b1 100644
--- a/drivers/net/wireless/ath/carl9170/tx.c
+++ b/drivers/net/wireless/ath/carl9170/tx.c
@@ -692,7 +692,7 @@ void carl9170_tx_process_status(struct ar9170 *ar,
unsigned int i;
for (i = 0; i < cmd->hdr.ext; i++) {
- if (WARN_ON(i > ((cmd->hdr.len / 2) + 1))) {
+ if (WARN_ON(i >= (cmd->hdr.len / 2))) {
print_hex_dump_bytes("UU:", DUMP_PREFIX_NONE,
(void *) cmd, cmd->hdr.len + 4);
break;
--
2.47.3
^ permalink raw reply related [flat|nested] 10+ messages in thread
* [PATCH v3 3/3] wifi: carl9170: fix buffer overflow in rx_stream failover path
2026-04-21 13:49 [PATCH v3 0/3] wifi: carl9170: firmware trust boundary hardening Tristan Madani
2026-04-21 13:49 ` [PATCH v3 1/3] wifi: carl9170: bound memcpy length in cmd callback to prevent OOB read Tristan Madani
2026-04-21 13:49 ` [PATCH v3 2/3] wifi: carl9170: fix OOB read from off-by-two in TX status handler Tristan Madani
@ 2026-04-21 13:49 ` Tristan Madani
2026-07-01 18:32 ` Jeff Johnson
2026-07-04 19:48 ` Christian Lamparter
2026-07-01 17:47 ` [PATCH v3 0/3] wifi: carl9170: firmware trust boundary hardening Jeff Johnson
3 siblings, 2 replies; 10+ messages in thread
From: Tristan Madani @ 2026-04-21 13:49 UTC (permalink / raw)
To: Christian Lamparter
Cc: Johannes Berg, linux-wireless, linux-kernel, Tristan Madani
From: Tristan Madani <tristan@talencesecurity.com>
The failover continuation in carl9170_rx_stream() copies the full tlen
from the second USB transfer instead of capping at rx_failover_missing
bytes. When both transfers are near maximum size, the total exceeds the
65535-byte failover SKB, triggering skb_over_panic.
Limit the copy size to the missing byte count.
Fixes: a84fab3cbfdc ("carl9170: 802.11 rx/tx processing and usb backend")
Signed-off-by: Tristan Madani <tristan@talencesecurity.com>
---
Changes in v3:
- Regenerated from wireless-next with proper git format-patch.
Changes in v2:
- Use min_t() instead of separate if-check, per Christian Lamparter.
drivers/net/wireless/ath/carl9170/rx.c | 4 +++-
1 file changed, 3 insertions(+), 1 deletion(-)
diff --git a/drivers/net/wireless/ath/carl9170/rx.c b/drivers/net/wireless/ath/carl9170/rx.c
index f6855efc05c0f..ccadc46385240 100644
--- a/drivers/net/wireless/ath/carl9170/rx.c
+++ b/drivers/net/wireless/ath/carl9170/rx.c
@@ -918,7 +918,9 @@ static void carl9170_rx_stream(struct ar9170 *ar, void *buf, unsigned int len)
}
}
- skb_put_data(ar->rx_failover, tbuf, tlen);
+ skb_put_data(ar->rx_failover, tbuf,
+ min_t(unsigned int, tlen,
+ ar->rx_failover_missing));
ar->rx_failover_missing -= tlen;
if (ar->rx_failover_missing <= 0) {
--
2.47.3
^ permalink raw reply related [flat|nested] 10+ messages in thread
* Re: [PATCH v3 0/3] wifi: carl9170: firmware trust boundary hardening
2026-04-21 13:49 [PATCH v3 0/3] wifi: carl9170: firmware trust boundary hardening Tristan Madani
` (2 preceding siblings ...)
2026-04-21 13:49 ` [PATCH v3 3/3] wifi: carl9170: fix buffer overflow in rx_stream failover path Tristan Madani
@ 2026-07-01 17:47 ` Jeff Johnson
2026-07-04 19:47 ` Christian Lamparter
3 siblings, 1 reply; 10+ messages in thread
From: Jeff Johnson @ 2026-07-01 17:47 UTC (permalink / raw)
To: Tristan Madani, Christian Lamparter
Cc: Johannes Berg, linux-wireless, linux-kernel, Tristan Madani
On 4/21/2026 6:49 AM, Tristan Madani wrote:
> From: Tristan Madani <tristan@talencesecurity.com>
>
> This series adds missing bounds checks for firmware-controlled fields
> in the carl9170 USB driver.
>
> Patch 1 bounds the cmd callback memcpy to prevent heap overflow from
> an oversized firmware response. Patch 2 fixes an off-by-two in the TX
> status handler. Patch 3 caps the failover copy to rx_failover_missing
> bytes, using min_t per Christian Lamparter.
>
> Changes in v3:
> - Regenerated from wireless-next with proper git format-patch.
>
> Changes in v2:
> - Use min_t() instead of separate if-check in patch 3, per
> Christian Lamparter.
>
> Tristan Madani (3):
> wifi: carl9170: bound memcpy length in cmd callback to prevent OOB
> read
> wifi: carl9170: fix OOB read from off-by-two in TX status handler
> wifi: carl9170: fix buffer overflow in rx_stream failover path
>
> drivers/net/wireless/ath/carl9170/rx.c | 7 +++++--
> drivers/net/wireless/ath/carl9170/tx.c | 2 +-
> 2 files changed, 6 insertions(+), 3 deletions(-)
>
Christian, will you be able to review this series?
I'll take it once I get reviewed-by or acked-by tags.
And then we can ignore the dups from others.
/jeff
^ permalink raw reply [flat|nested] 10+ messages in thread
* Re: [PATCH v3 3/3] wifi: carl9170: fix buffer overflow in rx_stream failover path
2026-04-21 13:49 ` [PATCH v3 3/3] wifi: carl9170: fix buffer overflow in rx_stream failover path Tristan Madani
@ 2026-07-01 18:32 ` Jeff Johnson
2026-07-04 19:48 ` Christian Lamparter
1 sibling, 0 replies; 10+ messages in thread
From: Jeff Johnson @ 2026-07-01 18:32 UTC (permalink / raw)
To: Tristan Madani, Christian Lamparter
Cc: Johannes Berg, linux-wireless, linux-kernel, Tristan Madani
On 4/21/2026 6:49 AM, Tristan Madani wrote:
> From: Tristan Madani <tristan@talencesecurity.com>
>
> The failover continuation in carl9170_rx_stream() copies the full tlen
> from the second USB transfer instead of capping at rx_failover_missing
> bytes. When both transfers are near maximum size, the total exceeds the
> 65535-byte failover SKB, triggering skb_over_panic.
>
> Limit the copy size to the missing byte count.
>
> Fixes: a84fab3cbfdc ("carl9170: 802.11 rx/tx processing and usb backend")
> Signed-off-by: Tristan Madani <tristan@talencesecurity.com>
> ---
> Changes in v3:
> - Regenerated from wireless-next with proper git format-patch.
>
> Changes in v2:
> - Use min_t() instead of separate if-check, per Christian Lamparter.
>
> drivers/net/wireless/ath/carl9170/rx.c | 4 +++-
> 1 file changed, 3 insertions(+), 1 deletion(-)
>
> diff --git a/drivers/net/wireless/ath/carl9170/rx.c b/drivers/net/wireless/ath/carl9170/rx.c
> index f6855efc05c0f..ccadc46385240 100644
> --- a/drivers/net/wireless/ath/carl9170/rx.c
> +++ b/drivers/net/wireless/ath/carl9170/rx.c
> @@ -918,7 +918,9 @@ static void carl9170_rx_stream(struct ar9170 *ar, void *buf, unsigned int len)
> }
> }
>
> - skb_put_data(ar->rx_failover, tbuf, tlen);
> + skb_put_data(ar->rx_failover, tbuf,
> + min_t(unsigned int, tlen,
checkpatch complains:
CHECK:PARENTHESIS_ALIGNMENT: Alignment should match open parenthesis
no need to repost for this, I can fix when applying
> + ar->rx_failover_missing));
> ar->rx_failover_missing -= tlen;
>
> if (ar->rx_failover_missing <= 0) {
^ permalink raw reply [flat|nested] 10+ messages in thread
* Re: [PATCH v3 0/3] wifi: carl9170: firmware trust boundary hardening
2026-07-01 17:47 ` [PATCH v3 0/3] wifi: carl9170: firmware trust boundary hardening Jeff Johnson
@ 2026-07-04 19:47 ` Christian Lamparter
0 siblings, 0 replies; 10+ messages in thread
From: Christian Lamparter @ 2026-07-04 19:47 UTC (permalink / raw)
To: Jeff Johnson, Tristan Madani, Christian Lamparter
Cc: Johannes Berg, linux-wireless, linux-kernel, Tristan Madani
On 7/1/26 7:47 PM, Jeff Johnson wrote:
> On 4/21/2026 6:49 AM, Tristan Madani wrote:
>> From: Tristan Madani <tristan@talencesecurity.com>
>>
>> This series adds missing bounds checks for firmware-controlled fields
>> in the carl9170 USB driver.
>>
>> Patch 1 bounds the cmd callback memcpy to prevent heap overflow from
>> an oversized firmware response. Patch 2 fixes an off-by-two in the TX
>> status handler. Patch 3 caps the failover copy to rx_failover_missing
>> bytes, using min_t per Christian Lamparter.
>>
>> Changes in v3:
>> - Regenerated from wireless-next with proper git format-patch.
>>
>> Changes in v2:
>> - Use min_t() instead of separate if-check in patch 3, per
>> Christian Lamparter.
>>
>> Tristan Madani (3):
>> wifi: carl9170: bound memcpy length in cmd callback to prevent OOB
>> read
>> wifi: carl9170: fix OOB read from off-by-two in TX status handler
>> wifi: carl9170: fix buffer overflow in rx_stream failover path
>>
>> drivers/net/wireless/ath/carl9170/rx.c | 7 +++++--
>> drivers/net/wireless/ath/carl9170/tx.c | 2 +-
>> 2 files changed, 6 insertions(+), 3 deletions(-)
>>
>
> Christian, will you be able to review this series?
> I'll take it once I get reviewed-by or acked-by tags.
> And then we can ignore the dups from others.
From what I can tell, the "others" made the effort to also check skzkaller.
i.e: https://www.spinics.net/lists/stable/msg965098.html
Closes: https://syzkaller.appspot.com/bug?extid=5c1ca6ccaa1215781cac
Wouldn't it be possible to merge this information with the patch? I guess not.
Oh well.
As for the series I do have a headache with patch 2, I wonder why none of the
other AI-fueled mails proposed the same.
^ permalink raw reply [flat|nested] 10+ messages in thread
* Re: [PATCH v3 1/3] wifi: carl9170: bound memcpy length in cmd callback to prevent OOB read
2026-04-21 13:49 ` [PATCH v3 1/3] wifi: carl9170: bound memcpy length in cmd callback to prevent OOB read Tristan Madani
@ 2026-07-04 19:48 ` Christian Lamparter
0 siblings, 0 replies; 10+ messages in thread
From: Christian Lamparter @ 2026-07-04 19:48 UTC (permalink / raw)
To: Tristan Madani, Christian Lamparter
Cc: Johannes Berg, linux-wireless, linux-kernel, Tristan Madani
On 4/21/26 3:49 PM, Tristan Madani wrote:
> From: Tristan Madani <tristan@talencesecurity.com>
>
> When the firmware sends a command response with a length mismatch,
> carl9170_cmd_callback() logs the mismatch and calls carl9170_restart()
> but then falls through to memcpy(ar->readbuf, buffer + 4, len - 4).
> Since len comes from the firmware and can exceed ar->readlen, this
> copies more data than the readbuf was allocated for.
>
> Bound the memcpy to min(len - 4, ar->readlen) so that the response
> is still completed -- avoiding repeated restarts from queued garbage --
> while preventing an overread past the response buffer.
>
> Fixes: a84fab3cbfdc ("carl9170: 802.11 rx/tx processing and usb backend")
> Signed-off-by: Tristan Madani <tristan@talencesecurity.com>
Acked-by: Christian Lamparter <chunkeey@gmail.com>
> ---
> Changes in v3:
> - Regenerated from wireless-next with proper git format-patch to
> produce valid index hashes (v2 had post-processed index lines).
>
> Changes in v2:
> - No code changes from v1.
>
> drivers/net/wireless/ath/carl9170/rx.c | 3 ++-
> 1 file changed, 2 insertions(+), 1 deletion(-)
>
> diff --git a/drivers/net/wireless/ath/carl9170/rx.c b/drivers/net/wireless/ath/carl9170/rx.c
> index 6833430130f4c..f6855efc05c0f 100644
> --- a/drivers/net/wireless/ath/carl9170/rx.c
> +++ b/drivers/net/wireless/ath/carl9170/rx.c
> @@ -150,7 +150,8 @@ static void carl9170_cmd_callback(struct ar9170 *ar, u32 len, void *buffer)
> spin_lock(&ar->cmd_lock);
> if (ar->readbuf) {
> if (len >= 4)
> - memcpy(ar->readbuf, buffer + 4, len - 4);
> + memcpy(ar->readbuf, buffer + 4,
> + min_t(u32, len - 4, ar->readlen));
>
> ar->readbuf = NULL;
> }
^ permalink raw reply [flat|nested] 10+ messages in thread
* Re: [PATCH v3 2/3] wifi: carl9170: fix OOB read from off-by-two in TX status handler
2026-04-21 13:49 ` [PATCH v3 2/3] wifi: carl9170: fix OOB read from off-by-two in TX status handler Tristan Madani
@ 2026-07-04 19:48 ` Christian Lamparter
0 siblings, 0 replies; 10+ messages in thread
From: Christian Lamparter @ 2026-07-04 19:48 UTC (permalink / raw)
To: Tristan Madani, Christian Lamparter
Cc: Johannes Berg, linux-wireless, linux-kernel, Tristan Madani
On 4/21/26 3:49 PM, Tristan Madani wrote:
> From: Tristan Madani <tristan@talencesecurity.com>
>
> The bounds check in carl9170_tx_process_status() uses
> `i > ((cmd->hdr.len / 2) + 1)` which is off by two, allowing
> 2 extra iterations past valid _tx_status entries when the firmware-
> controlled hdr.ext exceeds hdr.len/2. Fix by using the correct
> comparison `i >= (cmd->hdr.len / 2)`.
>
> Fixes: a84fab3cbfdc ("carl9170: 802.11 rx/tx processing and usb backend")
> Signed-off-by: Tristan Madani <tristan@talencesecurity.com>
Acked-by: Christian Lamparter <chunkeey@gmail.com>
> ---
> Changes in v3:
> - Regenerated from wireless-next with proper git format-patch to
> produce valid index hashes (v2 had post-processed index lines).
>
> Changes in v2:
> - No code changes from v1.
>
> drivers/net/wireless/ath/carl9170/tx.c | 2 +-
> 1 file changed, 1 insertion(+), 1 deletion(-)
>
> diff --git a/drivers/net/wireless/ath/carl9170/tx.c b/drivers/net/wireless/ath/carl9170/tx.c
> index 59caf1e4b1589..06aaf281655b1 100644
> --- a/drivers/net/wireless/ath/carl9170/tx.c
> +++ b/drivers/net/wireless/ath/carl9170/tx.c
> @@ -692,7 +692,7 @@ void carl9170_tx_process_status(struct ar9170 *ar,
> unsigned int i;
>
> for (i = 0; i < cmd->hdr.ext; i++) {
> - if (WARN_ON(i > ((cmd->hdr.len / 2) + 1))) {
> + if (WARN_ON(i >= (cmd->hdr.len / 2))) {
> print_hex_dump_bytes("UU:", DUMP_PREFIX_NONE,
> (void *) cmd, cmd->hdr.len + 4);
> break;
^ permalink raw reply [flat|nested] 10+ messages in thread
* Re: [PATCH v3 3/3] wifi: carl9170: fix buffer overflow in rx_stream failover path
2026-04-21 13:49 ` [PATCH v3 3/3] wifi: carl9170: fix buffer overflow in rx_stream failover path Tristan Madani
2026-07-01 18:32 ` Jeff Johnson
@ 2026-07-04 19:48 ` Christian Lamparter
1 sibling, 0 replies; 10+ messages in thread
From: Christian Lamparter @ 2026-07-04 19:48 UTC (permalink / raw)
To: Tristan Madani, Christian Lamparter
Cc: Johannes Berg, linux-wireless, linux-kernel, Tristan Madani
On 4/21/26 3:49 PM, Tristan Madani wrote:
> From: Tristan Madani <tristan@talencesecurity.com>
>
> The failover continuation in carl9170_rx_stream() copies the full tlen
> from the second USB transfer instead of capping at rx_failover_missing
> bytes. When both transfers are near maximum size, the total exceeds the
> 65535-byte failover SKB, triggering skb_over_panic.
>
> Limit the copy size to the missing byte count.
>
> Fixes: a84fab3cbfdc ("carl9170: 802.11 rx/tx processing and usb backend")
> Signed-off-by: Tristan Madani <tristan@talencesecurity.com>
Acked-by: Christian Lamparter <chunkeey@gmail.com>
> ---
> Changes in v3:
> - Regenerated from wireless-next with proper git format-patch.
>
> Changes in v2:
> - Use min_t() instead of separate if-check, per Christian Lamparter.
>
> drivers/net/wireless/ath/carl9170/rx.c | 4 +++-
> 1 file changed, 3 insertions(+), 1 deletion(-)
>
> diff --git a/drivers/net/wireless/ath/carl9170/rx.c b/drivers/net/wireless/ath/carl9170/rx.c
> index f6855efc05c0f..ccadc46385240 100644
> --- a/drivers/net/wireless/ath/carl9170/rx.c
> +++ b/drivers/net/wireless/ath/carl9170/rx.c
> @@ -918,7 +918,9 @@ static void carl9170_rx_stream(struct ar9170 *ar, void *buf, unsigned int len)
> }
> }
>
> - skb_put_data(ar->rx_failover, tbuf, tlen);
> + skb_put_data(ar->rx_failover, tbuf,
> + min_t(unsigned int, tlen,
> + ar->rx_failover_missing));
> ar->rx_failover_missing -= tlen;
>
> if (ar->rx_failover_missing <= 0) {
^ permalink raw reply [flat|nested] 10+ messages in thread
end of thread, other threads:[~2026-07-04 19:48 UTC | newest]
Thread overview: 10+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2026-04-21 13:49 [PATCH v3 0/3] wifi: carl9170: firmware trust boundary hardening Tristan Madani
2026-04-21 13:49 ` [PATCH v3 1/3] wifi: carl9170: bound memcpy length in cmd callback to prevent OOB read Tristan Madani
2026-07-04 19:48 ` Christian Lamparter
2026-04-21 13:49 ` [PATCH v3 2/3] wifi: carl9170: fix OOB read from off-by-two in TX status handler Tristan Madani
2026-07-04 19:48 ` Christian Lamparter
2026-04-21 13:49 ` [PATCH v3 3/3] wifi: carl9170: fix buffer overflow in rx_stream failover path Tristan Madani
2026-07-01 18:32 ` Jeff Johnson
2026-07-04 19:48 ` Christian Lamparter
2026-07-01 17:47 ` [PATCH v3 0/3] wifi: carl9170: firmware trust boundary hardening Jeff Johnson
2026-07-04 19:47 ` Christian Lamparter
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox