[PATCH v2 0/3] wifi: wcn36xx: fix OOB reads and heap overflow from firmware responses
Johannes Berg
johannes at sipsolutions.net
Thu Apr 16 11:39:36 PDT 2026
On Thu, 2026-04-16 at 09:25 -0700, Jeff Johnson wrote:
> On 4/15/2026 3:37 PM, Tristan Madani wrote:
> > From: Tristan Madani <tristan at talencesecurity.com>
> >
> > Hi Loic,
> >
> > Note: this is a v2 resubmission. The original was sent via Gmail which
> > caused HTML rendering issues. This version uses git send-email for
> > proper plain-text formatting.
> >
> > Three issues in wcn36xx HAL firmware response handling, including a heap
> > overflow in the main response dispatcher:
> >
> > Proposed fixes in the following patches.
> >
> > Thanks,
> > Tristan
>
> Are you able to cause these issues to occur?
> My expectation is that this is testing things that firmware will never do, and
> hence this adds code and processing with no actual benefit.
We're not really supposed to completely trust firmware though, right? :)
johannes
More information about the wcn36xx
mailing list