Re: [PATCH v3 0/3] wifi: carl9170: firmware trust boundary hardening

From: Christian Lamparter

Date: Sat Jul 04 2026 - 15:47:54 EST


On 7/1/26 7:47 PM, Jeff Johnson wrote:
On 4/21/2026 6:49 AM, Tristan Madani wrote:
From: Tristan Madani <tristan@xxxxxxxxxxxxxxxxxxx>

This series adds missing bounds checks for firmware-controlled fields
in the carl9170 USB driver.

Patch 1 bounds the cmd callback memcpy to prevent heap overflow from
an oversized firmware response. Patch 2 fixes an off-by-two in the TX
status handler. Patch 3 caps the failover copy to rx_failover_missing
bytes, using min_t per Christian Lamparter.

Changes in v3:
- Regenerated from wireless-next with proper git format-patch.

Changes in v2:
- Use min_t() instead of separate if-check in patch 3, per
Christian Lamparter.

Tristan Madani (3):
wifi: carl9170: bound memcpy length in cmd callback to prevent OOB
read
wifi: carl9170: fix OOB read from off-by-two in TX status handler
wifi: carl9170: fix buffer overflow in rx_stream failover path

drivers/net/wireless/ath/carl9170/rx.c | 7 +++++--
drivers/net/wireless/ath/carl9170/tx.c | 2 +-
2 files changed, 6 insertions(+), 3 deletions(-)


Christian, will you be able to review this series?
I'll take it once I get reviewed-by or acked-by tags.
And then we can ignore the dups from others.

From what I can tell, the "others" made the effort to also check skzkaller.
i.e: https://www.spinics.net/lists/stable/msg965098.html
Closes: https://syzkaller.appspot.com/bug?extid=5c1ca6ccaa1215781cac

Wouldn't it be possible to merge this information with the patch? I guess not.
Oh well.

As for the series I do have a headache with patch 2, I wonder why none of the
other AI-fueled mails proposed the same.