[PATCH v3 2/3] wifi: wcn36xx: fix OOB read from firmware count in PRINT_REG_INFO indication
Jeff Johnson
jeff.johnson at oss.qualcomm.com
Fri Jun 5 14:38:11 PDT 2026
On 4/21/2026 6:50 AM, Tristan Madani wrote:
> From: Tristan Madani <tristan at talencesecurity.com>
>
> The firmware-controlled rsp->count field is used as the loop bound for
> indexing into the flexible rsp->regs[] array without validation against
> the message length. A count exceeding the actual data causes out-of-
> bounds reads from the heap-allocated message buffer.
>
> Add a check that count fits within the received message.
>
> Fixes: 43efa3c0f241 ("wcn36xx: Implement print_reg indication")
> Signed-off-by: Tristan Madani <tristan at talencesecurity.com>
Propagating from v2 so that b4 will pick it up...
Reviewed-by: Loic Poulain <loic.poulain at oss.qualcomm.com>
More information about the wcn36xx
mailing list