From mboxrd@z Thu Jan 1 00:00:00 1970 Received: from mail-wm1-f49.google.com (mail-wm1-f49.google.com [209.85.128.49]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id 878F43D16FD for ; Tue, 21 Apr 2026 13:50:13 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=209.85.128.49 ARC-Seal:i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1776779415; cv=none; b=ot/KSvQUOBe0XYbjxsvoPypIwee/pq/V2PDWR64pibdbFyh1MulayDgPU8hZVnklTJOnNn4EPDtXf9fzAFsnk4RbYZh38Bm/36lCfqXApVKiqEMjJQnidvB7e3mVPptBGi2ApdmIfbHOPaD0rAyb3rrybBNdqvV5OTIBX2uUqio= ARC-Message-Signature:i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1776779415; c=relaxed/simple; bh=7xHdMKpkxXstirzQNsKPmRsSC1m6fp9kR0giIOUpbKQ=; h=From:To:Cc:Subject:Date:Message-ID:In-Reply-To:References: MIME-Version; b=ApC+kv4SCALn6DUWSEScVnlUel92YOQsLcCYP6Ac7OacGWRINmf5LvKQcLF2dONjLSVr5CclNNRbJepNRkK5UDJQzDE5Sjq/6FzZS72ST9Dc/v76ZLvS6B2dwY87KrvHOmLwZqWLwuQExGpgDhhMuAPN+Fgxu/FaLIrPUDeO+bA= ARC-Authentication-Results:i=1; smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=gmail.com; spf=pass smtp.mailfrom=gmail.com; dkim=pass (2048-bit key) header.d=gmail.com header.i=@gmail.com header.b=PsWrkNqx; arc=none smtp.client-ip=209.85.128.49 Authentication-Results: smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=gmail.com Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=gmail.com Authentication-Results: smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=gmail.com header.i=@gmail.com header.b="PsWrkNqx" Received: by mail-wm1-f49.google.com with SMTP id 5b1f17b1804b1-48a563e4ef7so6800945e9.0 for ; Tue, 21 Apr 2026 06:50:13 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20251104; t=1776779412; x=1777384212; darn=vger.kernel.org; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:from:to:cc:subject:date :message-id:reply-to; bh=TVTTdLSY03WpD7raO4AFtimw/W+4ZUAurUEteTPSXv4=; b=PsWrkNqxekPgOeI45DvlfYrNftfX4DEaAs9pUiZ38q13o2wxRTH+55iEJmh3Dfzhrm COgo327eI1T0OHeI6f7GsccfCTYLm4XtPYGUYpyaHn9X4QF5X9WSwMEGcE7Tb4RLg+j8 qKxdAou4tMWZPEt32gyxVP8G536nzAOC9g5ec18JoCX+KtVZd2IB/mMM1lYNh/4LRV9V eRSSpmzYAVWSVJW9QqB1uS7MHTOLORikrXvlKX63VII5Yv+j2iR3XP1PfrTYQVao7axC Nhm0juDhOt446KppNAguQA8VzdTFQ8tzCL6w1w0vf7MiyQqhqFnx52J26x/bvOzdeCv9 9mfw== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20251104; t=1776779412; x=1777384212; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:x-gm-gg:x-gm-message-state:from :to:cc:subject:date:message-id:reply-to; bh=TVTTdLSY03WpD7raO4AFtimw/W+4ZUAurUEteTPSXv4=; b=VXIGxwHUFIeOX/38B3KKx2ItVGlxUS13p+nmYLco65DFDjqL78kSAintvgaLrz6oza BJqoHF62Z74c1jVEKlfzB5CFfZiRQ9Ha/35qEbbFewfikUlJHcTnL0TPoAWUF/nZL7g+ 197y6ndH/WoJpNtHXETFzqqcPLs8cl56JEYNjSgEmttdCbB0Dh0h491rhGAJ67WB8T9h X/Ni7qSBCh30xGPfuIUTFmQa+mtgF32w6tJu+33Toxq/P8Em73JrVijRUKpB9fwo/RbN almL81clCvPRuLe/wuiKJspg6S9RbYbQka3NUBr6lSVWA8aD0VUDZaLh/m1BiEMHYksU wz2w== X-Forwarded-Encrypted: i=1; AFNElJ8lbcY/iMmRwmRMGwmOCscyYkRm+u3TKzybl33wVw4Z7OeGBUEpi5OYmTK5UEq0Ix/URarZV3B9FqFeV8Y=@vger.kernel.org X-Gm-Message-State: AOJu0Yx3gAuxyRdk/UdyEKn1t50E4NWJj3k9arxJ9NWIPnuVzCqdPGiT Ny7oqv7A4B1XRC32eDB1MLdpbLt/AbEIepk9HpTSexTZhKPv+rkE+uk= X-Gm-Gg: AeBDiev1k8cMtRjVg6h2mJ7kREHQlBf59wzLHTKhRvkvzrcaaGCNK1gijkyvcxHCiiT IkKJAzX+FqTZD+qTxg9pRU9XYM9fK6A8lycOwbzpWLxteq8RT22bP+InxLxVEFnRN+Vn/muJfLm bOCqdQFFOECglHxQx2m26b9aPtijCuajuQ9v4RwqIDN/zGD5gp07uKLDr5idbfXb9Kf1VMZyPuA +JAyK6P09O1ewz5vuLym7FHhwI9DaDa5MT9VZdCLF8BdWN9y6Min97G4pyr2n90oZSJAPttfJ2e w1kKVo0eOWEoZ1j2vGpEswVoFy4M0VkKngxnQsKTTLMRcnnwRWbKj3wps9V5fbHfO3neWXVeMKq Nq0hZZrIuR+uuGeizHlC9LW87plW+SEUR3t/kNkPe/dOWLcqGW0BO+e0Lqe8alToSK47QWbPAG4 0jZGI= X-Received: by 2002:a05:600c:888b:b0:488:c40b:c8bf with SMTP id 5b1f17b1804b1-488fb73d234mr214825115e9.2.1776779411691; Tue, 21 Apr 2026 06:50:11 -0700 (PDT) Received: from debian.. ([2001:41d0:303:db6b::]) by smtp.gmail.com with ESMTPSA id 5b1f17b1804b1-488fb74eed9sm165464395e9.1.2026.04.21.06.50.10 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Tue, 21 Apr 2026 06:50:11 -0700 (PDT) From: Tristan Madani To: Johannes Berg Cc: linux-wireless@vger.kernel.org, linux-kernel@vger.kernel.org, Tristan Madani Subject: [PATCH v3 1/3] wifi: ath6kl: fix OOB access from firmware ADDBA window size Date: Tue, 21 Apr 2026 13:50:07 +0000 Message-ID: <20260421135009.348084-2-tristmd@gmail.com> X-Mailer: git-send-email 2.47.3 In-Reply-To: <20260421135009.348084-1-tristmd@gmail.com> References: <20260421135009.348084-1-tristmd@gmail.com> Precedence: bulk X-Mailing-List: linux-kernel@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 Content-Transfer-Encoding: 8bit From: Tristan Madani aggr_recv_addba_req_evt() logs a debug message when the firmware-supplied win_sz is outside [AGGR_WIN_SZ_MIN, AGGR_WIN_SZ_MAX] but does not return. The out-of-range win_sz is then used in TID_WINDOW_SZ() to compute a kzalloc size and stored in rxtid->hold_q_sz, leading to zero-size or overflowed allocations and subsequent OOB access. Return early when win_sz is out of the valid range. Fixes: bdcd81707973 ("Add ath6kl cleaned up driver") Signed-off-by: Tristan Madani --- Changes in v3: - Regenerated from wireless-next with proper git format-patch to produce valid index hashes (v2 had post-processed index lines). Changes in v2: - No code changes from v1. drivers/net/wireless/ath/ath6kl/txrx.c | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/drivers/net/wireless/ath/ath6kl/txrx.c b/drivers/net/wireless/ath/ath6kl/txrx.c index 97fdac7237e26..5575b535f94cd 100644 --- a/drivers/net/wireless/ath/ath6kl/txrx.c +++ b/drivers/net/wireless/ath/ath6kl/txrx.c @@ -1723,9 +1723,11 @@ void aggr_recv_addba_req_evt(struct ath6kl_vif *vif, u8 tid_mux, u16 seq_no, rxtid = &aggr_conn->rx_tid[tid]; - if (win_sz < AGGR_WIN_SZ_MIN || win_sz > AGGR_WIN_SZ_MAX) + if (win_sz < AGGR_WIN_SZ_MIN || win_sz > AGGR_WIN_SZ_MAX) { ath6kl_dbg(ATH6KL_DBG_WLAN_RX, "%s: win_sz %d, tid %d\n", __func__, win_sz, tid); + return; + } if (rxtid->aggr) aggr_delete_tid_state(aggr_conn, tid); -- 2.47.3