[PATCH v2 1/3] wifi: wl18xx: fix OOB read from firmware rx_ba_link_id in BA event handler

Next message: Rob Herring (Arm): "Re: [PATCH v6 1/3] dt-bindings: pinctrl: Add aspeed,ast2700-soc0-pinctrl"
Previous message: Tristan Madani: "[PATCH v2 2/3] wifi: wlcore: fix OOB read from firmware max_buff_size in logger handler"
In reply to: Tristan Madani: "[PATCH v2 2/3] wifi: wlcore: fix OOB read from firmware max_buff_size in logger handler"
Next in thread: Tristan Madani: "[PATCH v2 3/3] wifi: wl18xx: fix OOB read from firmware SSID/password lengths in smart config event"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

From: Tristan Madani

Date: Wed Apr 15 2026 - 18:31:09 EST

From: Tristan Madani <tristan@xxxxxxxxxxxxxxxxxxx>

The firmware-controlled rx_ba_link_id (u8) is used to index the 16-entry
wl->links[] array without bounds checking in the BA window size change
event handler. An out-of-range value causes OOB reads and an immediate
pointer dereference of the OOB wlvif field.

Add bounds validation consistent with all other HLID consumers in the
driver.

Fixes: d4392269f7ce ("wlcore: Add RX_BA_WIN_SIZE_CHANGE_EVENT event")
Signed-off-by: Tristan Madani <tristan@xxxxxxxxxxxxxxxxxxx>
---
drivers/net/wireless/ti/wl18xx/event.c | 6 ++++++
1 file changed, 6 insertions(+)

diff --git a/drivers/net/wireless/ti/wl18xx/event.c b/drivers/net/wireless/ti/wl18xx/event.c
index XXXXXXX..XXXXXXX 100644
--- a/drivers/net/wireless/ti/wl18xx/event.c
+++ b/drivers/net/wireless/ti/wl18xx/event.c
@@ -211,6 +211,12 @@ int wl18xx_process_mailbox_events(struct wl1271 *wl)
u8 win_size = mbox->rx_ba_win_size;
const u8 *addr;

+ if (link_id >= WLCORE_MAX_LINKS) {
+ wl1271_error("BA event: invalid link_id %u\n",
+ link_id);
+ goto out;
+ }
+
wlvif = wl->links[link_id].wlvif;
vif = wl12xx_wlvif_to_vif(wlvif);