[PATCH v2 0/3] wifi: wcn36xx: fix OOB reads and heap overflow from firmware responses
Loic Poulain
loic.poulain at oss.qualcomm.com
Thu Apr 16 12:50:01 PDT 2026
On Thu, Apr 16, 2026 at 8:39 PM Johannes Berg <johannes at sipsolutions.net> wrote:
>
> On Thu, 2026-04-16 at 09:25 -0700, Jeff Johnson wrote:
> > On 4/15/2026 3:37 PM, Tristan Madani wrote:
> > > From: Tristan Madani <tristan at talencesecurity.com>
> > >
> > > Hi Loic,
> > >
> > > Note: this is a v2 resubmission. The original was sent via Gmail which
> > > caused HTML rendering issues. This version uses git send-email for
> > > proper plain-text formatting.
> > >
> > > Three issues in wcn36xx HAL firmware response handling, including a heap
> > > overflow in the main response dispatcher:
> > >
> > > Proposed fixes in the following patches.
> > >
> > > Thanks,
> > > Tristan
> >
> > Are you able to cause these issues to occur?
> > My expectation is that this is testing things that firmware will never do, and
> > hence this adds code and processing with no actual benefit.
>
> We're not really supposed to completely trust firmware though, right? :)
Right, at first glance, these appear to be legitimate and
straightforward buffer boundary checks. I’ll follow up with a review.
Regards,
Loic
More information about the wcn36xx
mailing list