From nobody Sun Feb 8 19:59:10 2026 Received: from mail-wm1-f52.google.com (mail-wm1-f52.google.com [209.85.128.52]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id 3A39434575F for ; Fri, 30 Jan 2026 12:56:54 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=209.85.128.52 ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1769777815; cv=none; b=Yd+i7Whjz6ceXRuJ4p7OCqjZx6Ow6D6RHbpmiKjhSM/3vmi/7qTwUzE8z8vPzenUXZcukktWbayUHMRyAWWC+v9u9I/YA8p0wtardaePQ0LgzwPu7uz+Wh352b1UYS56cQeDiDqZFz369clcsI13W9YZkEoMlMUg31gYlTqwBA8= ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1769777815; c=relaxed/simple; bh=dg9kYr8aZfQN0Z5Niq94kmT7y8LXjeCMZKoKN1fucL0=; h=From:To:Cc:Subject:Date:Message-Id:MIME-Version; b=ke55j/Vb9zQeVaPezcwZpsMIg6Aq74qiOSP7uXSj/kzdLMT9OR8mdxg1mul8+gi9IgKFN1sWuAQlnFbjj9l6TNMWMxGSfFCAj8kTD38qo3iggQbMOrVuhhUUmzAvcidhpKK9zU5JOLzKCtVCW1pWddL2fjYw2KfAslDtKXQa35Y= ARC-Authentication-Results: i=1; smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=gmail.com; spf=pass smtp.mailfrom=gmail.com; dkim=pass (2048-bit key) header.d=gmail.com header.i=@gmail.com header.b=TQT31aW9; arc=none smtp.client-ip=209.85.128.52 Authentication-Results: smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=gmail.com Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=gmail.com Authentication-Results: smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=gmail.com header.i=@gmail.com header.b="TQT31aW9" Received: by mail-wm1-f52.google.com with SMTP id 5b1f17b1804b1-4806d23e9f1so23504785e9.2 for ; Fri, 30 Jan 2026 04:56:54 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20230601; t=1769777813; x=1770382613; darn=vger.kernel.org; h=content-transfer-encoding:mime-version:message-id:date:subject:cc :to:from:from:to:cc:subject:date:message-id:reply-to; bh=iQzOK0aKaeoderdrXRGweVvWgIMEPYBk9+gZ71lrHVY=; b=TQT31aW9kXm7Y4MrPD9NDb+keD+yzYvE0/tN9KSiKLKKif5eza+UuY0Da1Z9j38xxU ehJe/rX57rm/7QOOZ0Tr6B9iOwJIeXzDoV6l3nTIQc/URTBoo2cHNLB3IsXMRVNHml0B fhQApywnFACwOZ4xn4WbpQWPYNbZcm9zNfBGA6ys/NTXzFyupljiU565bNCFRRbaKDs/ Bf1m3+/w9v2zNo5iFQ2VfjF8WtcXZkL/LWo+PaEbf3JCNp4KzzMkKkRzp6qmCx60ZI6L aMZ9UlZG8I8Dn98umdtVOhd/jr0vixXEZQIEFtWmgCy8ZYnxQexRQUS36ldRNzHrXrIL VELg== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1769777813; x=1770382613; h=content-transfer-encoding:mime-version:message-id:date:subject:cc :to:from:x-gm-gg:x-gm-message-state:from:to:cc:subject:date :message-id:reply-to; bh=iQzOK0aKaeoderdrXRGweVvWgIMEPYBk9+gZ71lrHVY=; b=I/8E8mJBGUYfp3Lqm3+L9IX5P3z7FTAUKRhnX8Vk+LhUHLb/KZ2pEwgEDyR38auOVg R2FlpiutjJoho2jA5hIonLIFE4pR7tk+lQxL6zNj7fHk7pmhM8jzcDKT9JT0h2x5RprP pxEThdUjPxo3TzQlzBZ/QJmOuHiE5jSIoZqPW8MkbhLPZHyZWGVCu5ftYu4nesj1DdEM q6Zy+PhNmwn0C76DT/UwCdI7CAtNgQ3SgMxFKGXUVNJg37HTMZaU+IK0RyJmaO6OF4md sRhqlvWKRfeomRjcJdVb3ptQ3JP7eOs9sncOHLEGmsmFQZqnTTQ5huBGgWzEEq/ZIloe rleQ== X-Forwarded-Encrypted: i=1; AJvYcCXIIzbe/2UytYxTAud99rr/3biPAMi4jOc3WhA+7AqeCISp3wEtVi4V245+k+uHufVWjDox0B+zmYZIWRk=@vger.kernel.org X-Gm-Message-State: AOJu0YwMHwxIImE7vZfxtZrVR1sWJZ9pGHGqverSUiIjUTcin509ACYG +lK/Aaau4N9fha2CPLI//ITgQz0/el85N6DT2kqi+2+++MJDyI9NwL2R X-Gm-Gg: AZuq6aIkgtVnfrk8gIdfW21G+5GOa0qQD18s41ug4eVa2nsFGaCATnE/y2o8Ji2/KEI Ggul57Q0gxd2h22aIwZvQguhuuMeX8qFQDLTwo2RapNI8aNNqLVeVw6J1ogblALi0VVnsbVz5dA 0Ltg5dsFlzTgk6kWSCqc3lWQdAUJul2NNtFCpw2Yk53iPBluGI3VJktxG860WROnSEQ3tISS90p Wz7/Z1H+kbJpJpUqCS7SFFfY3FfP0pvXI/SuyYRqRM+ldS6DinGFdWfUyCRFJuy30R/lr2PJutt IK8oqvaZF1cfFkoiZxoHPASitA5zlMj1iUMH6Af0WeQQJG0q976GfW+G6+26pm+0wXOX9NhZJQd O8uKbnINAI52vtinc7imUAz3VLRw6JhaJjJlWpn6k6q2liItF/ZkQyCIVidmanChQL+GNhs5k6R ZjsqJHKEIZ1LEi6bM4xvqrli5bQxwk0OnqhH67qFMJkCI5BfWt5ANLj1p2Uw== X-Received: by 2002:a05:600c:1e8a:b0:45d:d8d6:7fcc with SMTP id 5b1f17b1804b1-482db4958famr33084195e9.27.1769777812528; Fri, 30 Jan 2026 04:56:52 -0800 (PST) Received: from anesterenko.. (62.43.64.127.dyn.user.ono.com. [62.43.64.127]) by smtp.gmail.com with ESMTPSA id 5b1f17b1804b1-482dffd47c2sm15117155e9.0.2026.01.30.04.56.51 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Fri, 30 Jan 2026 04:56:52 -0800 (PST) From: Aleksandr Nesterenko To: quic_kvalo@quicinc.com, davem@davemloft.net, kuba@kernel.org Cc: linux-wireless@vger.kernel.org, netdev@vger.kernel.org, linux-kernel@vger.kernel.org, Aleksandr Nesterenko Subject: [PATCH] wifi: ath9k: add range check for epid in htc_issue_send() Date: Fri, 30 Jan 2026 13:56:46 +0100 Message-Id: <20260130125646.45925-1-alexandernesterenko837@gmail.com> X-Mailer: git-send-email 2.34.1 Precedence: bulk X-Mailing-List: linux-kernel@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 Content-Transfer-Encoding: quoted-printable Content-Type: text/plain; charset="utf-8" The fix for CVE-2024-53156 (commit 8619593634cb ("wifi: ath9k: add range check for conn_rsp_epid in htc_connect_service()")) added a bounds check for conn_rsp_epid in htc_connect_service() to prevent out-of-bounds array access. However, htc_issue_send() accesses target->endpoint[epid] directly without validating the epid parameter. While htc_connect_service() now validates the endpoint ID before storing it, htc_issue_send() can still receive invalid epid values from callers such as htc_send() and htc_send_epid(). This provides defense-in-depth against out-of-bounds access. Fixes: fb9987d0f748 ("ath9k_htc: Support for AR9271 chipset.") Signed-off-by: Aleksandr Nesterenko --- drivers/net/wireless/ath/ath9k/htc_hst.c | 9 ++++++++- 1 file changed, 8 insertions(+), 1 deletion(-) diff --git a/drivers/net/wireless/ath/ath9k/htc_hst.c b/drivers/net/wireles= s/ath/ath9k/htc_hst.c index 00dc97ac53b9..7821a31c0abb 100644 --- a/drivers/net/wireless/ath/ath9k/htc_hst.c +++ b/drivers/net/wireless/ath/ath9k/htc_hst.c @@ -23,9 +23,16 @@ static int htc_issue_send(struct htc_target *target, str= uct sk_buff* skb, =20 { struct htc_frame_hdr *hdr; - struct htc_endpoint *endpoint =3D &target->endpoint[epid]; + struct htc_endpoint *endpoint; int status; =20 + if (epid >=3D ENDPOINT_MAX) { + kfree_skb(skb); + return -EINVAL; + } + + endpoint =3D &target->endpoint[epid]; + hdr =3D skb_push(skb, sizeof(struct htc_frame_hdr)); hdr->endpoint_id =3D epid; hdr->flags =3D flags; --=20 2.34.1