[PATCH v2 2/6] wifi: mwifiex: fix OOB write from firmware TID in ADDBA response handler

Next message: Tristan Madani: "[PATCH v2 3/6] wifi: mwifiex: fix OOB read from firmware sta_count in station list response"
Previous message: Tristan Madani: "[PATCH v2 5/5] wifi: rsi: fix infinite loop when firmware sends zero-length packet"
In reply to: Tristan Madani: "[PATCH v2 4/6] wifi: mwifiex: fix OOB read in scan response from mismatched TLV data sizes"
Next in thread: Tristan Madani: "[PATCH v2 3/6] wifi: mwifiex: fix OOB read from firmware sta_count in station list response"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

From: Tristan Madani

Date: Wed Apr 15 2026 - 18:25:30 EST

From: Tristan Madani <tristan@xxxxxxxxxxxxxxxxxxx>

The TID value extracted from the Block Ack parameter set is a 4-bit
field (0-15), but aggr_prio_tbl[] has only 8 entries. A TID >= 8 causes
an out-of-bounds write to adjacent struct mwifiex_private fields.

Add a bounds check after extracting the TID.

Fixes: 5e6e3a92b9a4 ("wireless: mwifiex: initial commit for Marvell mwifiex driver")
Signed-off-by: Tristan Madani <tristan@xxxxxxxxxxxxxxxxxxx>
---
drivers/net/wireless/marvell/mwifiex/11n.c | 5 +++++
1 file changed, 5 insertions(+)

diff --git a/drivers/net/wireless/marvell/mwifiex/11n.c b/drivers/net/wireless/marvell/mwifiex/11n.c
index XXXXXXX..XXXXXXX 100644
--- a/drivers/net/wireless/marvell/mwifiex/11n.c
+++ b/drivers/net/wireless/marvell/mwifiex/11n.c
@@ -155,6 +155,11 @@ int mwifiex_ret_11n_addba_req(struct mwifiex_private *priv,
tid = (block_ack_param_set & IEEE80211_ADDBA_PARAM_TID_MASK)
>> BLOCKACKPARAM_TID_POS;

+ if (tid >= MAX_NUM_TID) {
+ mwifiex_dbg(priv->adapter, ERROR,
+ "ADDBA RSP: invalid tid %d\n", tid);
+ return -EINVAL;
+ }
tid_down = mwifiex_wmm_downgrade_tid(priv, tid);
ra_list = mwifiex_wmm_get_ralist_node(priv, tid_down, add_ba_rsp->
peer_mac_addr);