[PATCH v3 2/3] wifi: carl9170: fix OOB read from off-by-two in TX status handler

Next message: Tristan Madani: "[PATCH v3 3/3] wifi: carl9170: fix buffer overflow in rx_stream failover path"
Previous message: Tristan Madani: "[PATCH v3 3/5] wifi: rsi: fix OOB read from firmware pad_bytes in management RX path"
In reply to: Tristan Madani: "[PATCH v3 1/3] wifi: carl9170: bound memcpy length in cmd callback to prevent OOB read"
Next in thread: Tristan Madani: "[PATCH v3 3/3] wifi: carl9170: fix buffer overflow in rx_stream failover path"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

From: Tristan Madani

Date: Tue Apr 21 2026 - 10:00:35 EST

From: Tristan Madani <tristan@xxxxxxxxxxxxxxxxxxx>

The bounds check in carl9170_tx_process_status() uses
`i > ((cmd->hdr.len / 2) + 1)` which is off by two, allowing
2 extra iterations past valid _tx_status entries when the firmware-
controlled hdr.ext exceeds hdr.len/2. Fix by using the correct
comparison `i >= (cmd->hdr.len / 2)`.

Fixes: a84fab3cbfdc ("carl9170: 802.11 rx/tx processing and usb backend")
Signed-off-by: Tristan Madani <tristan@xxxxxxxxxxxxxxxxxxx>
---
Changes in v3:
- Regenerated from wireless-next with proper git format-patch to
produce valid index hashes (v2 had post-processed index lines).

Changes in v2:
- No code changes from v1.

drivers/net/wireless/ath/carl9170/tx.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/drivers/net/wireless/ath/carl9170/tx.c b/drivers/net/wireless/ath/carl9170/tx.c
index 59caf1e4b1589..06aaf281655b1 100644
--- a/drivers/net/wireless/ath/carl9170/tx.c
+++ b/drivers/net/wireless/ath/carl9170/tx.c
@@ -692,7 +692,7 @@ void carl9170_tx_process_status(struct ar9170 *ar,
unsigned int i;

for (i = 0; i < cmd->hdr.ext; i++) {
- if (WARN_ON(i > ((cmd->hdr.len / 2) + 1))) {
+ if (WARN_ON(i >= (cmd->hdr.len / 2))) {
print_hex_dump_bytes("UU:", DUMP_PREFIX_NONE,
(void *) cmd, cmd->hdr.len + 4);
break;
--
2.47.3