[PATCH v3 1/3] wifi: wl18xx: fix OOB read from firmware rx_ba_link_id in BA event handler

Next message: Tristan Madani: "[PATCH v3 5/6] wifi: mwifiex: fix OOB read from firmware intf_num in multichannel event"
Previous message: Rob Herring: "Re: [PATCH v3 1/3] dt-bindings: power: Add power-domains-child-ids property"
In reply to: Tristan Madani: "[PATCH v3 0/3] wifi: wlcore/wl18xx: firmware trust boundary hardening"
Next in thread: Tristan Madani: "[PATCH v3 2/3] wifi: wlcore: fix OOB read from firmware max_buff_size in logger handler"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

From: Tristan Madani

Date: Tue Apr 21 2026 - 09:57:08 EST

From: Tristan Madani <tristan@xxxxxxxxxxxxxxxxxxx>

The firmware-controlled rx_ba_link_id (u8) is used to index the 16-entry
wl->links[] array without bounds checking in the BA window size change
event handler. An out-of-range value causes OOB reads and an immediate
pointer dereference of the OOB wlvif field.

Add bounds validation consistent with all other HLID consumers in the
driver.

Fixes: d4392269f7ce ("wlcore: Add RX_BA_WIN_SIZE_CHANGE_EVENT event")
Signed-off-by: Tristan Madani <tristan@xxxxxxxxxxxxxxxxxxx>
---
Changes in v3:
- Regenerated from wireless-next with proper git format-patch to
produce valid index hashes (v2 had post-processed index lines).

Changes in v2:
- No code changes from v1.

drivers/net/wireless/ti/wl18xx/event.c | 6 ++++++
1 file changed, 6 insertions(+)

diff --git a/drivers/net/wireless/ti/wl18xx/event.c b/drivers/net/wireless/ti/wl18xx/event.c
index a9f090e15cbbe..fac12a8590355 100644
--- a/drivers/net/wireless/ti/wl18xx/event.c
+++ b/drivers/net/wireless/ti/wl18xx/event.c
@@ -212,6 +212,12 @@ int wl18xx_process_mailbox_events(struct wl1271 *wl)
u8 win_size = mbox->rx_ba_win_size;
const u8 *addr;

+ if (link_id >= WLCORE_MAX_LINKS) {
+ wl1271_error("BA event: invalid link_id %u\n",
+ link_id);
+ goto out;
+ }
+
wlvif = wl->links[link_id].wlvif;
vif = wl12xx_wlvif_to_vif(wlvif);

--
2.47.3