[PATCH v2 2/3] wifi: wcn36xx: fix OOB read from firmware count in PRINT_REG_INFO indication
Loic Poulain
loic.poulain at oss.qualcomm.com
Thu May 7 14:36:34 PDT 2026
On Thu, Apr 16, 2026 at 12:37 AM Tristan Madani <tristmd at gmail.com> wrote:
>
> From: Tristan Madani <tristan at talencesecurity.com>
>
> The firmware-controlled rsp->count field is used as the loop bound for
> indexing into the flexible rsp->regs[] array without validation against
> the message length. A count exceeding the actual data causes out-of-
> bounds reads from the heap-allocated message buffer.
>
> Add a check that count fits within the received message.
>
> Fixes: 43efa3c0f241 ("wcn36xx: Implement print_reg indication")
> Signed-off-by: Tristan Madani <tristan at talencesecurity.com>
Reviewed-by: Loic Poulain <loic.poulain at oss.qualcomm.com>
> ---
> drivers/net/wireless/ath/wcn36xx/smd.c | 6 ++++++
> 1 file changed, 6 insertions(+)
>
> diff --git a/drivers/net/wireless/ath/wcn36xx/smd.c b/drivers/net/wireless/ath/wcn36xx/smd.c
> index XXXXXXX..XXXXXXX 100644
> --- a/drivers/net/wireless/ath/wcn36xx/smd.c
> +++ b/drivers/net/wireless/ath/wcn36xx/smd.c
> @@ -2803,6 +2803,12 @@ static int wcn36xx_smd_print_reg_info_ind(struct wcn36xx *wcn,
> return -EIO;
> }
>
> + if (rsp->count > (len - sizeof(*rsp)) / sizeof(rsp->regs[0])) {
> + wcn36xx_warn("Truncated print reg info indication: count %u, len %zu\n",
> + rsp->count, len);
> + return -EIO;
> + }
> +
> wcn36xx_dbg(WCN36XX_DBG_HAL,
> "reginfo indication, scenario: 0x%x reason: 0x%x\n",
> rsp->scenario, rsp->reason);
>
More information about the wcn36xx
mailing list