[PATCH v2 1/3] wifi: ath6kl: fix OOB access from firmware ADDBA window size

Next message: Tristan Madani: "[PATCH v2 2/3] wifi: ath6kl: fix OOB read from firmware IE lengths in connect event"
Previous message: Tristan Madani: "[PATCH v2 5/6] wifi: mwifiex: fix OOB read from firmware intf_num in multichannel event"
In reply to: Tristan Madani: "[PATCH v2 0/3] wifi: ath6kl: fix OOB accesses from firmware-controlled fields"
Next in thread: Tristan Madani: "[PATCH v2 2/3] wifi: ath6kl: fix OOB read from firmware IE lengths in connect event"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

From: Tristan Madani

Date: Wed Apr 15 2026 - 18:28:55 EST

From: Tristan Madani <tristan@xxxxxxxxxxxxxxxxxxx>

aggr_recv_addba_req_evt() logs a debug message when the firmware-supplied
win_sz is outside [AGGR_WIN_SZ_MIN, AGGR_WIN_SZ_MAX] but does not
return. The out-of-range win_sz is then used in TID_WINDOW_SZ() to
compute a kzalloc size and stored in rxtid->hold_q_sz, leading to
zero-size or overflowed allocations and subsequent OOB access.

Return early when win_sz is out of the valid range.

Fixes: bdcd81707973 ("Add ath6kl cleaned up driver")
Signed-off-by: Tristan Madani <tristan@xxxxxxxxxxxxxxxxxxx>
---
drivers/net/wireless/ath/ath6kl/txrx.c | 5 ++++-
1 file changed, 4 insertions(+), 1 deletion(-)

diff --git a/drivers/net/wireless/ath/ath6kl/txrx.c b/drivers/net/wireless/ath/ath6kl/txrx.c
index XXXXXXX..XXXXXXX 100644
--- a/drivers/net/wireless/ath/ath6kl/txrx.c
+++ b/drivers/net/wireless/ath/ath6kl/txrx.c
@@ -1725,8 +1725,10 @@ void aggr_recv_addba_req_evt(struct ath6kl_vif *vif, u8 tid_mux, u16 seq_no,
- if (win_sz < AGGR_WIN_SZ_MIN || win_sz > AGGR_WIN_SZ_MAX)
+ if (win_sz < AGGR_WIN_SZ_MIN || win_sz > AGGR_WIN_SZ_MAX) {
ath6kl_dbg(ATH6KL_DBG_WLAN_RX, "%s: win_sz %d, tid %d\n",
__func__, win_sz, tid);
+ return;
+ }

if (rxtid->aggr)
aggr_delete_tid_state(aggr_conn, tid);
--
2.43.0