[PATCH v3 0/6] wifi: mwifiex: firmware trust boundary hardening
From: Tristan Madani
Date: Tue Apr 21 2026 - 10:00:50 EST
From: Tristan Madani <tristan@xxxxxxxxxxxxxxxxxxx>
This series adds missing bounds checks for firmware-controlled fields
in the Marvell mwifiex driver.
Patches cover: WMM queue_index, ADDBA TID, station list count, scan
response TLV lengths, multichannel intf_num, and IBSS peer TLV length.
Changes in v3:
- Regenerated from wireless-next with proper git format-patch.
Changes in v2:
- No code changes from v1.
Tristan Madani (6):
wifi: mwifiex: fix OOB write from firmware queue_index in WMM status
response
wifi: mwifiex: fix OOB write from firmware TID in ADDBA response
handler
wifi: mwifiex: fix OOB read from firmware sta_count in station list
response
wifi: mwifiex: fix OOB read in scan response from mismatched TLV data
sizes
wifi: mwifiex: fix OOB read from firmware intf_num in multichannel
event
wifi: mwifiex: fix OOB read from inflated TLV length in IBSS peer
event
drivers/net/wireless/marvell/mwifiex/11n.c | 5 +++++
drivers/net/wireless/marvell/mwifiex/scan.c | 9 ++++++---
drivers/net/wireless/marvell/mwifiex/sta_cmdresp.c | 10 +++++++++-
drivers/net/wireless/marvell/mwifiex/sta_event.c | 12 ++++++++++++
drivers/net/wireless/marvell/mwifiex/wmm.c | 5 +++++
5 files changed, 37 insertions(+), 4 deletions(-)
--
2.47.3