wifi: carl9170: firmware trust boundary hardening

[PATCH v3 0/3] wifi: carl9170: firmware trust boundary hardening

Tristan Madani posted 3 patches 1 month, 3 weeks ago

Download series mbox

drivers/net/wireless/ath/carl9170/rx.c | 7 +++++--
drivers/net/wireless/ath/carl9170/tx.c | 2 +-
2 files changed, 6 insertions(+), 3 deletions(-)

Expand all Fold all

[PATCH v3 0/3] wifi: carl9170: firmware trust boundary hardening

Posted by Tristan Madani 1 month, 3 weeks ago

From: Tristan Madani <tristan@talencesecurity.com>

This series adds missing bounds checks for firmware-controlled fields
in the carl9170 USB driver.

Patch 1 bounds the cmd callback memcpy to prevent heap overflow from
an oversized firmware response. Patch 2 fixes an off-by-two in the TX
status handler. Patch 3 caps the failover copy to rx_failover_missing
bytes, using min_t per Christian Lamparter.

Changes in v3:
  - Regenerated from wireless-next with proper git format-patch.

Changes in v2:
  - Use min_t() instead of separate if-check in patch 3, per
    Christian Lamparter.

Tristan Madani (3):
  wifi: carl9170: bound memcpy length in cmd callback to prevent OOB
    read
  wifi: carl9170: fix OOB read from off-by-two in TX status handler
  wifi: carl9170: fix buffer overflow in rx_stream failover path

 drivers/net/wireless/ath/carl9170/rx.c | 7 +++++--
 drivers/net/wireless/ath/carl9170/tx.c | 2 +-
 2 files changed, 6 insertions(+), 3 deletions(-)

-- 
2.47.3