Re: [PATCH v4] wifi: ath6kl: fix OOB access from firmware ADDBA window size

Next message: Viresh Kumar: "Re: [PATCH v4 1/2] cpufreq: dt-platdev: Add SpacemiT K1 SoC to the allowlist"
Previous message: Cen Zhang: "[PATCH v3] ntfs: serialize attribute-list replacement with lookups"
In reply to: Tristan Madani: " [PATCH v4] wifi: ath6kl: fix OOB access from firmware ADDBA window size"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

From: Vasanthakumar Thiagarajan

Date: Mon Jun 29 2026 - 00:58:20 EST

On 6/26/2026 5:34 AM, Tristan Madani wrote:

aggr_recv_addba_req_evt() logs a debug message when the firmware-supplied
win_sz is outside [AGGR_WIN_SZ_MIN, AGGR_WIN_SZ_MAX] but does not
return. The out-of-range win_sz is then used in TID_WINDOW_SZ() to
compute a kzalloc size and stored in rxtid->hold_q_sz, leading to
zero-size or overflowed allocations and subsequent out-of-bounds access.

Clean up any previously active aggregation session for the TID first,
then return early when win_sz is out of the valid range, instead of
proceeding with a broken allocation size.

Fixes: bdcd81707973 ("Add ath6kl cleaned up driver")
Cc: stable@xxxxxxxxxxxxxxx
Suggested-by: Vasanthakumar Thiagarajan <vasanthakumar.thiagarajan@xxxxxxxxxxxxxxxx>

You can remove my suggested-by as I only provided review comments on your patch.

Signed-off-by: Tristan Madani <tristan@xxxxxxxxxxxxxxxxxxx>

With the above comment addressed,

Reviewed-by: Vasanthakumar Thiagarajan <vasanthakumar.thiagarajan@xxxxxxxxxxxxxxxx>