From: Tristan Madani <tristan@talencesecurity.com>

This series adds missing bounds checks for firmware-controlled fields
in the Marvell mwifiex driver.

Patches cover: WMM queue_index, ADDBA TID, station list count, scan
response TLV lengths, multichannel intf_num, and IBSS peer TLV length.

Changes in v3:
  - Regenerated from wireless-next with proper git format-patch.

Changes in v2:
  - No code changes from v1.

Tristan Madani (6):
  wifi: mwifiex: fix OOB write from firmware queue_index in WMM status
    response
  wifi: mwifiex: fix OOB write from firmware TID in ADDBA response
    handler
  wifi: mwifiex: fix OOB read from firmware sta_count in station list
    response
  wifi: mwifiex: fix OOB read in scan response from mismatched TLV data
    sizes
  wifi: mwifiex: fix OOB read from firmware intf_num in multichannel
    event
  wifi: mwifiex: fix OOB read from inflated TLV length in IBSS peer
    event

 drivers/net/wireless/marvell/mwifiex/11n.c         |  5 +++++
 drivers/net/wireless/marvell/mwifiex/scan.c        |  9 ++++++---
 drivers/net/wireless/marvell/mwifiex/sta_cmdresp.c | 10 +++++++++-
 drivers/net/wireless/marvell/mwifiex/sta_event.c   | 12 ++++++++++++
 drivers/net/wireless/marvell/mwifiex/wmm.c         |  5 +++++
 5 files changed, 37 insertions(+), 4 deletions(-)

-- 
2.47.3