[PATCH v2 1/3] wifi: wcn36xx: fix heap overflow from oversized firmware HAL response
Johannes Berg
johannes at sipsolutions.net
Wed Apr 15 23:38:50 PDT 2026
Hi Tristan,
On Wed, 2026-04-15 at 22:37 +0000, Tristan Madani wrote:
> From: Tristan Madani <tristan at talencesecurity.com>
>
> The firmware response dispatcher copies all synchronous HAL responses
> into the 4096-byte hal_buf without validating the response length. A
> response exceeding WCN36XX_HAL_BUF_SIZE causes a heap buffer overflow
> with firmware-controlled content.
>
> Add a bounds check on the response length.
No real problem with these patches etc., but it seems implausible that
you're not using some kind of tool/LLM assistance, which you're supposed
to disclose (or at least I guess I'm supposed to ask you to):
https://docs.kernel.org/process/coding-assistants.html
johannes
More information about the wcn36xx
mailing list