Re: [PATCH v3 2/6] wifi: mwifiex: fix OOB write from firmware TID in ADDBA response handler

Next message: Yosry Ahmed: "Re: [PATCH 06/11] KVM: x86: Move kvm_&lt;reg&gt;_{read,write}() definitions to x86.h"
Previous message: Dennis Zhou: "Re: [PATCH v3 2/3] percpu: Do not trust hint starts when they are not set"
In reply to: Tristan Madani: "[PATCH v3 2/6] wifi: mwifiex: fix OOB write from firmware TID in ADDBA response handler"
Next in thread: Tristan Madani: "[PATCH v3 3/6] wifi: mwifiex: fix OOB read from firmware sta_count in station list response"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

From: Brian Norris

Date: Tue Apr 21 2026 - 19:34:03 EST

On Tue, Apr 21, 2026 at 01:49:34PM +0000, Tristan Madani wrote:
> From: Tristan Madani <tristan@xxxxxxxxxxxxxxxxxxx>
>
> The TID value extracted from the Block Ack parameter set is a 4-bit
> field (0-15), but aggr_prio_tbl[] has only 8 entries. A TID >= 8 causes
> an out-of-bounds write to adjacent struct mwifiex_private fields.
>
> Add a bounds check after extracting the TID.
>
> Fixes: 5e6e3a92b9a4 ("wireless: mwifiex: initial commit for Marvell mwifiex driver")
> Signed-off-by: Tristan Madani <tristan@xxxxxxxxxxxxxxxxxxx>
> ---
> Changes in v3:
> - Regenerated from wireless-next with proper git format-patch to
> produce valid index hashes (v2 had post-processed index lines).
>
> Changes in v2:
> - No code changes from v1.
>
> drivers/net/wireless/marvell/mwifiex/11n.c | 5 +++++
> 1 file changed, 5 insertions(+)

Acked-by: Brian Norris <briannorris@xxxxxxxxxxxx>