From nobody Sun Feb  8 16:53:27 2026
Received: from mail-wm1-f52.google.com (mail-wm1-f52.google.com
 [209.85.128.52])
	(using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits))
	(No client certificate requested)
	by smtp.subspace.kernel.org (Postfix) with ESMTPS id 3C7DC37E300
	for <linux-kernel@vger.kernel.org>; Fri, 30 Jan 2026 12:53:33 +0000 (UTC)
Authentication-Results: smtp.subspace.kernel.org;
 arc=none smtp.client-ip=209.85.128.52
ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116;
	t=1769777614; cv=none;
 b=kYggGhMy5Vr0zU3BJBBXIdgLFokrRmL3HUwgx6hOuVLmV9ebxz4VgtYhP6ORu06YS3o4atL80w5XPIl4LeEk8YSNQN2o18gztKoT5C1EFd9pRFtjzqwMRBmSAMBq2edQi9ZigcRzbgFYww2lBs1RWKPzLnX9C2+j9/0xiolzCq8=
ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org;
	s=arc-20240116; t=1769777614; c=relaxed/simple;
	bh=dg9kYr8aZfQN0Z5Niq94kmT7y8LXjeCMZKoKN1fucL0=;
	h=From:To:Cc:Subject:Date:Message-Id:MIME-Version;
 b=gzU1HfZwwbgtMnXVfe7ozkLvKIDwwhbggrgGhNNYkkoL1Z2z6OKbfLmE72ZWOCWx5Y4Zjwhzqch85m6kQyf2EFwN3+6NvzduAYUjKUNPk3LlrreTX9LtOHAlQU2rXcRff7t7YkwPZ+QcjCcb1pIp/LpccptyFWgx3apBQwE7zwk=
ARC-Authentication-Results: i=1; smtp.subspace.kernel.org;
 dmarc=pass (p=none dis=none) header.from=gmail.com;
 spf=pass smtp.mailfrom=gmail.com;
 dkim=pass (2048-bit key) header.d=gmail.com header.i=@gmail.com
 header.b=cYUJOe/p; arc=none smtp.client-ip=209.85.128.52
Authentication-Results: smtp.subspace.kernel.org;
 dmarc=pass (p=none dis=none) header.from=gmail.com
Authentication-Results: smtp.subspace.kernel.org;
 spf=pass smtp.mailfrom=gmail.com
Authentication-Results: smtp.subspace.kernel.org;
	dkim=pass (2048-bit key) header.d=gmail.com header.i=@gmail.com
 header.b="cYUJOe/p"
Received: by mail-wm1-f52.google.com with SMTP id
 5b1f17b1804b1-47ee937ecf2so17764415e9.0
        for <linux-kernel@vger.kernel.org>;
 Fri, 30 Jan 2026 04:53:33 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=gmail.com; s=20230601; t=1769777612; x=1770382412;
 darn=vger.kernel.org;
        h=content-transfer-encoding:mime-version:message-id:date:subject:cc
         :to:from:from:to:cc:subject:date:message-id:reply-to;
        bh=iQzOK0aKaeoderdrXRGweVvWgIMEPYBk9+gZ71lrHVY=;
        b=cYUJOe/puO5FiZ+6g7TGB6pDF25G31nSEqTwbmJK/HrQfCGnEi/ZMC/Up2hnPGy7ZJ
         u6Rzxm6wAxy+Zl29ClbyMNl0xZU6fvKazMSs4xJmQEtwS5iPyBEjUaE/l6eAxZTZCtvx
         La1QcZR2ZNJI8ZTesQXSRv6BfzH2HYb1Op/zxIXa2sjhTRXyoafKfvsWHHmSz71ASvWO
         Dgk4c/llexms3jwznIrmmxqeB8myHz0Ty9e/jOPlYAexv9vBYsrqlqxfhUTzPF/4VURO
         Mf8v9UZ7MviIwye7BhqbECqVSzNqf8OIH0KbxLb4ILplW+WmMrZM8supsYBqBvagtP0W
         lItg==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=1e100.net; s=20230601; t=1769777612; x=1770382412;
        h=content-transfer-encoding:mime-version:message-id:date:subject:cc
         :to:from:x-gm-gg:x-gm-message-state:from:to:cc:subject:date
         :message-id:reply-to;
        bh=iQzOK0aKaeoderdrXRGweVvWgIMEPYBk9+gZ71lrHVY=;
        b=l0yfqr62eVWjFr5fm4XYKhlRBUqvIeW5bvZtTiJfp1CByE68asf5SiBDkVnhHfklI/
         WXsByt6k11ePjUy3HMSlGs8KWzPoT3fz05PzSDR4gEGE+OjyPu/ZLvflKjHprf23LEPu
         6R/hHpzgA88gW0LNCnc5mPNuPjZFxr5XeE+pRTK+uSEtLx4av/joCpuxsAT7MkGLuYD+
         23ZuwpQMMOjE4r0nSY8CkQwg5RwXWOcEUgljME0g4qNZYSV15D2zBFTBS2a8nMjdC+GV
         kEB/Ym4DOqncjmehQIWr4ilMzwRbGI8Na4DDZCQD+nfwsQZDPD0U7KxCrNsCLsFMuGxM
         cHhQ==
X-Forwarded-Encrypted: i=1;
 AJvYcCWy5gk4AbfkJMGf7UK+BA0vSnC3RxF76a2Co9JkTIOo/3LGJkTZKv88rXNKlI38XWdVGF/NW9FuGlTOCfM=@vger.kernel.org
X-Gm-Message-State: AOJu0YxHHGQaEvCBWMxIL9uxwj8ySRUPCZIL7ORu5goemlC8l3gUFgZh
	IsJmPfFIvXXrbGRvaiitq+C//vQSIbHwFy+7eZYz/gqFmTJE0PA+3URc
X-Gm-Gg: AZuq6aKay+wo95phln0LTKoSE0mY3L+TVvDWceU0/EnYirzftmcgn12qtx6wmixl8cr
	eQnnjEXedO5g44kIyVLQK7PU6WhXrOk0PeYK8il8gmGoIpKCMBzDBy03Etnw0Hi3r39Q401wqOS
	9XTAE2Loi1Ppw5NcPszCH4QjtUOhpTpOZqnSOSULJ7iDoAfBhPW1cqWwj0+iAU3yTzCa69wB2TQ
	g0+D0Ux1NoXqI6fHv9fhsEZHc6ywHMLjsxv+EKCq6ebf/mZhDJ+v9HPV6eISWhhCL8JVsnq7Lr7
	D+x9wZxfVrj0xwY3ui/ogdJCiXpT09bDil4Gruh5zVy8snZK856ixF4v2/0xMMFUVMJuTBRixMP
	uCxQ1ObIJgLOfVF9S7mhmv9VGOy6lU2gyfxZR2Sco7fwU70pCSzytm/+IYQaD6LRhz2z5ohQnfe
	5l2honBJC84ttH3zUDFzg6zOPELoV199WDKrg1xgUp7a0F4bY2DyjEoL3IktX6bsQwnCCu
X-Received: by 2002:a05:600c:8b52:b0:479:1348:c63e with SMTP id
 5b1f17b1804b1-482db476c30mr33587235e9.9.1769777611406;
        Fri, 30 Jan 2026 04:53:31 -0800 (PST)
Received: from anesterenko.. (62.43.64.127.dyn.user.ono.com. [62.43.64.127])
        by smtp.gmail.com with ESMTPSA id
 5b1f17b1804b1-482e267b699sm12837375e9.16.2026.01.30.04.53.30
        (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256);
        Fri, 30 Jan 2026 04:53:31 -0800 (PST)
From: Aleksandr Nesterenko <alexandernesterenko837@gmail.com>
To: kvalo@codeaurora.org,
	davem@davemloft.net,
	kuba@kernel.org
Cc: linux-wireless@vger.kernel.org,
	netdev@vger.kernel.org,
	linux-kernel@vger.kernel.org,
	Aleksandr Nesterenko <alexandernesterenko837@gmail.com>
Subject: [PATCH] wifi: ath9k: add range check for epid in htc_issue_send()
Date: Fri, 30 Jan 2026 13:53:26 +0100
Message-Id: <20260130125326.44456-1-alexandernesterenko837@gmail.com>
X-Mailer: git-send-email 2.34.1
Precedence: bulk
X-Mailing-List: linux-kernel@vger.kernel.org
List-Id: <linux-kernel.vger.kernel.org>
List-Subscribe: <mailto:linux-kernel+subscribe@vger.kernel.org>
List-Unsubscribe: <mailto:linux-kernel+unsubscribe@vger.kernel.org>
MIME-Version: 1.0
Content-Transfer-Encoding: quoted-printable
Content-Type: text/plain; charset="utf-8"

The fix for CVE-2024-53156 (commit 8619593634cb ("wifi: ath9k: add
range check for conn_rsp_epid in htc_connect_service()")) added a
bounds check for conn_rsp_epid in htc_connect_service() to prevent
out-of-bounds array access. However, htc_issue_send() accesses
target->endpoint[epid] directly without validating the epid parameter.

While htc_connect_service() now validates the endpoint ID before storing
it, htc_issue_send() can still receive invalid epid values from callers
such as htc_send() and htc_send_epid(). This provides defense-in-depth
against out-of-bounds access.

Fixes: fb9987d0f748 ("ath9k_htc: Support for AR9271 chipset.")
Signed-off-by: Aleksandr Nesterenko <alexandernesterenko837@gmail.com>
---
 drivers/net/wireless/ath/ath9k/htc_hst.c | 9 ++++++++-
 1 file changed, 8 insertions(+), 1 deletion(-)

diff --git a/drivers/net/wireless/ath/ath9k/htc_hst.c b/drivers/net/wireles=
s/ath/ath9k/htc_hst.c
index 00dc97ac53b9..7821a31c0abb 100644
--- a/drivers/net/wireless/ath/ath9k/htc_hst.c
+++ b/drivers/net/wireless/ath/ath9k/htc_hst.c
@@ -23,9 +23,16 @@ static int htc_issue_send(struct htc_target *target, str=
uct sk_buff* skb,
=20
 {
 	struct htc_frame_hdr *hdr;
-	struct htc_endpoint *endpoint =3D &target->endpoint[epid];
+	struct htc_endpoint *endpoint;
 	int status;
=20
+	if (epid >=3D ENDPOINT_MAX) {
+		kfree_skb(skb);
+		return -EINVAL;
+	}
+
+	endpoint =3D &target->endpoint[epid];
+
 	hdr =3D skb_push(skb, sizeof(struct htc_frame_hdr));
 	hdr->endpoint_id =3D epid;
 	hdr->flags =3D flags;
--=20
2.34.1