[PATCH v2 3/3] wifi: ath6kl: fix OOB read from firmware num_msg in TX complete handler

Next message: Tristan Madani: "[PATCH v2] wifi: ath9k: fix OOB access from firmware tx status queue ID"
Previous message: Tristan Madani: "[PATCH v2 2/3] wifi: ath6kl: fix OOB read from firmware IE lengths in connect event"
In reply to: Tristan Madani: "[PATCH v2 2/3] wifi: ath6kl: fix OOB read from firmware IE lengths in connect event"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

From: Tristan Madani

Date: Wed Apr 15 2026 - 18:29:32 EST

From: Tristan Madani <tristan@xxxxxxxxxxxxxxxxxxx>

The firmware-controlled num_msg field (u8, 0-255) drives the loop in
ath6kl_wmi_tx_complete_event_rx() without validation against the buffer
length. This allows out-of-bounds reads of up to 1020 bytes past the
WMI event buffer when the firmware sends an inflated num_msg.

Add a check that the buffer is large enough to hold num_msg entries.

Fixes: bdcd81707973 ("Add ath6kl cleaned up driver")
Signed-off-by: Tristan Madani <tristan@xxxxxxxxxxxxxxxxxxx>
---
drivers/net/wireless/ath/ath6kl/wmi.c | 6 ++++++
1 file changed, 6 insertions(+)

diff --git a/drivers/net/wireless/ath/ath6kl/wmi.c b/drivers/net/wireless/ath/ath6kl/wmi.c
index XXXXXXX..XXXXXXX 100644
--- a/drivers/net/wireless/ath/ath6kl/wmi.c
+++ b/drivers/net/wireless/ath/ath6kl/wmi.c
@@ -485,6 +485,12 @@ static int ath6kl_wmi_tx_complete_event_rx(u8 *datap, int len)

evt = (struct wmi_tx_complete_event *) datap;

+ if (len < sizeof(*evt) ||
+ len < sizeof(*evt) + evt->num_msg * sizeof(struct tx_complete_msg_v1)) {
+ ath6kl_dbg(ATH6KL_DBG_WMI, "tx complete: invalid len %d for %u msgs\n",
+ len, evt->num_msg);
+ return -EINVAL;
+ }
ath6kl_dbg(ATH6KL_DBG_WMI, "comp: %d %d %d\n",
evt->num_msg, evt->msg_len, evt->msg_type);