[PATCH v3 3/3] wifi: wcn36xx: fix OOB read from short trigger BA firmware response
Loic Poulain
loic.poulain at oss.qualcomm.com
Tue Apr 21 07:03:34 PDT 2026
Hi Tristan,
On Tue, Apr 21, 2026 at 3:50 PM Tristan Madani <tristmd at gmail.com> wrote:
>
> From: Tristan Madani <tristan at talencesecurity.com>
>
> The firmware response length is only checked against sizeof(*rsp) (20
> bytes), but when candidate_cnt >= 1, a 22-byte candidate struct is read
> at buf + 20 without verifying the response contains it. This causes an
> out-of-bounds read of stale heap data, corrupting the BA session state.
>
> Add validation that the response includes the candidate data.
>
> Fixes: 16be1ac55944 ("wcn36xx: Parse trigger_ba response properly")
> Signed-off-by: Tristan Madani <tristan at talencesecurity.com>
In previous series, Johannes pointed you to:
https://docs.kernel.org/process/coding-assistants.html
This document describes the Assisted-by: tag, which should be added
for AI usage tracking purposes.
> ---
> Changes in v3:
> - Regenerated from wireless-next with proper git format-patch to
> produce valid index hashes (v2 had post-processed index lines).
>
> Changes in v2:
> - No code changes from v1.
>
> drivers/net/wireless/ath/wcn36xx/smd.c | 3 +++
> 1 file changed, 3 insertions(+)
>
> diff --git a/drivers/net/wireless/ath/wcn36xx/smd.c b/drivers/net/wireless/ath/wcn36xx/smd.c
> index 2a0c946d81095..c0b477345832b 100644
> --- a/drivers/net/wireless/ath/wcn36xx/smd.c
> +++ b/drivers/net/wireless/ath/wcn36xx/smd.c
> @@ -2599,6 +2599,9 @@ static int wcn36xx_smd_trigger_ba_rsp(void *buf, int len, struct add_ba_info *ba
> if (rsp->candidate_cnt < 1)
> return rsp->status ? rsp->status : -EINVAL;
>
> + if (len < sizeof(*rsp) + sizeof(*candidate))
> + return -EINVAL;
> +
> candidate = (struct wcn36xx_hal_trigger_ba_rsp_candidate *)(buf + sizeof(*rsp));
>
> for (i = 0; i < STACFG_MAX_TC; i++) {
> --
> 2.47.3
>
More information about the wcn36xx
mailing list