[PATCH] wifi: iwlwifi: dvm: fix off-by-one in iwl_rx_dispatch command index

[Junrui Luo]

iwl_rx_dispatch() indexes priv->rx_handlers[] and priv->rx_handlers_stats[]
by pkt->hdr.cmd without bounds checking. Both arrays are declared with
REPLY_MAX (0xff = 255) entries, but pkt->hdr.cmd is a u8 spanning 0..255,
so cmd == 0xff reads and writes one element past the end of each array.

The OOB read on rx_handlers[] lands on the adjacent notif_wait field,
whose ->next pointer is non-NULL after init, causing the function pointer
check to pass and the kernel to call a heap address. The OOB increment on
rx_handlers_stats[] corrupts rf_reset.reset_request_count.

Add a bounds check against ARRAY_SIZE(priv->rx_handlers) before indexing,
so out-of-range commands fall through to the existing debug log branch.

Fixes: 1ab9f6c11b00 ("iwlagn: move the Rx dispatching to the upper layer")
Reported-by: Yuhao Jiang <danisjiang@xxxxxxxxx>
Cc: stable@xxxxxxxxxxxxxxx
Signed-off-by: Junrui Luo <moonafterrain@xxxxxxxxxxx>
---
 drivers/net/wireless/intel/iwlwifi/dvm/rx.c | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

diff --git a/drivers/net/wireless/intel/iwlwifi/dvm/rx.c b/drivers/net/wireless/intel/iwlwifi/dvm/rx.c
index 088302a238de..a5a58cf331d4 100644
--- a/drivers/net/wireless/intel/iwlwifi/dvm/rx.c
+++ b/drivers/net/wireless/intel/iwlwifi/dvm/rx.c
@@ -1008,7 +1008,8 @@ void iwl_rx_dispatch(struct iwl_op_mode *op_mode, struct napi_struct *napi,
 	/* Based on type of command response or notification,
 	 *   handle those that need handling via function in
 	 *   rx_handlers table.  See iwl_setup_rx_handlers() */
-	if (priv->rx_handlers[pkt->hdr.cmd]) {
+	if (pkt->hdr.cmd < ARRAY_SIZE(priv->rx_handlers) &&
+	    priv->rx_handlers[pkt->hdr.cmd]) {
 		priv->rx_handlers_stats[pkt->hdr.cmd]++;
 		priv->rx_handlers[pkt->hdr.cmd](priv, rxb);
 	} else {

---
base-commit: c369299895a591d96745d6492d4888259b004a9e
change-id: 20260525-fixes-a32bbe287204

Best regards,
-- 
Junrui Luo <moonafterrain@xxxxxxxxxxx>