Re: [PATCH v3 0/3] wifi: carl9170: firmware trust boundary hardening
From: Jeff Johnson <hidden>
Date: 2026-07-01 17:47:55
Also in:
lkml
On 4/21/2026 6:49 AM, Tristan Madani wrote:
From: Tristan Madani <redacted>
This series adds missing bounds checks for firmware-controlled fields
in the carl9170 USB driver.
Patch 1 bounds the cmd callback memcpy to prevent heap overflow from
an oversized firmware response. Patch 2 fixes an off-by-two in the TX
status handler. Patch 3 caps the failover copy to rx_failover_missing
bytes, using min_t per Christian Lamparter.
Changes in v3:
- Regenerated from wireless-next with proper git format-patch.
Changes in v2:
- Use min_t() instead of separate if-check in patch 3, per
Christian Lamparter.
Tristan Madani (3):
wifi: carl9170: bound memcpy length in cmd callback to prevent OOB
read
wifi: carl9170: fix OOB read from off-by-two in TX status handler
wifi: carl9170: fix buffer overflow in rx_stream failover path
drivers/net/wireless/ath/carl9170/rx.c | 7 +++++--
drivers/net/wireless/ath/carl9170/tx.c | 2 +-
2 files changed, 6 insertions(+), 3 deletions(-)Christian, will you be able to review this series? I'll take it once I get reviewed-by or acked-by tags. And then we can ignore the dups from others. /jeff