[PATCH v3 0/3] wifi: carl9170: firmware trust boundary hardening

Next message: Stephan Gerhold: "Re: [PATCH 2/2] remoteproc: qcom: Check glink-&gt;edge in glink_subdev_stop()"
Previous message: Joel Fernandes: "Re: [PATCH v11 07/20] gpu: nova-core: mm: Add TLB flush support"
Next in thread: Tristan Madani: "[PATCH v3 1/3] wifi: carl9170: bound memcpy length in cmd callback to prevent OOB read"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

From: Tristan Madani

Date: Tue Apr 21 2026 - 09:50:02 EST

From: Tristan Madani <tristan@xxxxxxxxxxxxxxxxxxx>

This series adds missing bounds checks for firmware-controlled fields
in the carl9170 USB driver.

Patch 1 bounds the cmd callback memcpy to prevent heap overflow from
an oversized firmware response. Patch 2 fixes an off-by-two in the TX
status handler. Patch 3 caps the failover copy to rx_failover_missing
bytes, using min_t per Christian Lamparter.

Changes in v3:
- Regenerated from wireless-next with proper git format-patch.

Changes in v2:
- Use min_t() instead of separate if-check in patch 3, per
Christian Lamparter.

Tristan Madani (3):
wifi: carl9170: bound memcpy length in cmd callback to prevent OOB
read
wifi: carl9170: fix OOB read from off-by-two in TX status handler
wifi: carl9170: fix buffer overflow in rx_stream failover path

drivers/net/wireless/ath/carl9170/rx.c | 7 +++++--
drivers/net/wireless/ath/carl9170/tx.c | 2 +-
2 files changed, 6 insertions(+), 3 deletions(-)

--
2.47.3