[PATCH v3 1/3] wifi: wcn36xx: fix heap overflow from oversized firmware HAL response
Loic Poulain
loic.poulain at oss.qualcomm.com
Thu May 7 14:29:01 PDT 2026
On Tue, Apr 21, 2026 at 3:50 PM Tristan Madani <tristmd at gmail.com> wrote:
>
> From: Tristan Madani <tristan at talencesecurity.com>
>
> The firmware response dispatcher copies all synchronous HAL responses
> into the 4096-byte hal_buf without validating the response length. A
> response exceeding WCN36XX_HAL_BUF_SIZE causes a heap buffer overflow
> with firmware-controlled content.
>
> Add a bounds check on the response length.
>
> Fixes: 8e84c2582169 ("wcn36xx: mac80211 driver for Qualcomm WCN3660/WCN3680 hardware")
> Signed-off-by: Tristan Madani <tristan at talencesecurity.com>
Reviewed-by: Loic Poulain <loic.poulain at oss.qualcomm.com>
> ---
> Changes in v3:
> - Regenerated from wireless-next with proper git format-patch to
> produce valid index hashes (v2 had post-processed index lines).
>
> Changes in v2:
> - No code changes from v1.
>
> drivers/net/wireless/ath/wcn36xx/smd.c | 4 ++++
> 1 file changed, 4 insertions(+)
>
> diff --git a/drivers/net/wireless/ath/wcn36xx/smd.c b/drivers/net/wireless/ath/wcn36xx/smd.c
> index 813553edcb789..f65328329f4f0 100644
> --- a/drivers/net/wireless/ath/wcn36xx/smd.c
> +++ b/drivers/net/wireless/ath/wcn36xx/smd.c
> @@ -3293,6 +3293,10 @@ int wcn36xx_smd_rsp_process(struct rpmsg_device *rpdev,
> case WCN36XX_HAL_EXIT_IMPS_RSP:
> case WCN36XX_HAL_UPDATE_CHANNEL_LIST_RSP:
> case WCN36XX_HAL_ADD_BCN_FILTER_RSP:
> + if (len > WCN36XX_HAL_BUF_SIZE) {
> + wcn36xx_warn("HAL response too large: %d\n", len);
> + break;
> + }
> memcpy(wcn->hal_buf, buf, len);
> wcn->hal_rsp_len = len;
> complete(&wcn->hal_rsp_compl);
> --
> 2.47.3
>
More information about the wcn36xx
mailing list