Re: [PATCH v3 0/3] wifi: carl9170: firmware trust boundary hardening
From: Jeff Johnson
Date: Wed Jul 01 2026 - 13:51:34 EST
On 4/21/2026 6:49 AM, Tristan Madani wrote:
> From: Tristan Madani <tristan@xxxxxxxxxxxxxxxxxxx>
>
> This series adds missing bounds checks for firmware-controlled fields
> in the carl9170 USB driver.
>
> Patch 1 bounds the cmd callback memcpy to prevent heap overflow from
> an oversized firmware response. Patch 2 fixes an off-by-two in the TX
> status handler. Patch 3 caps the failover copy to rx_failover_missing
> bytes, using min_t per Christian Lamparter.
>
> Changes in v3:
> - Regenerated from wireless-next with proper git format-patch.
>
> Changes in v2:
> - Use min_t() instead of separate if-check in patch 3, per
> Christian Lamparter.
>
> Tristan Madani (3):
> wifi: carl9170: bound memcpy length in cmd callback to prevent OOB
> read
> wifi: carl9170: fix OOB read from off-by-two in TX status handler
> wifi: carl9170: fix buffer overflow in rx_stream failover path
>
> drivers/net/wireless/ath/carl9170/rx.c | 7 +++++--
> drivers/net/wireless/ath/carl9170/tx.c | 2 +-
> 2 files changed, 6 insertions(+), 3 deletions(-)
>
Christian, will you be able to review this series?
I'll take it once I get reviewed-by or acked-by tags.
And then we can ignore the dups from others.
/jeff