From: Tristan Madani <tristan@talencesecurity.com>

The firmware-controlled rx_ba_link_id (u8) is used to index the 16-entry
wl->links[] array without bounds checking in the BA window size change
event handler. An out-of-range value causes OOB reads and an immediate
pointer dereference of the OOB wlvif field.

Add bounds validation consistent with all other HLID consumers in the
driver.

Fixes: d4392269f7ce ("wlcore: Add RX_BA_WIN_SIZE_CHANGE_EVENT event")
Signed-off-by: Tristan Madani <tristan@talencesecurity.com>
---
drivers/net/wireless/ti/wl18xx/event.c | 6 ++++++
 1 file changed, 6 insertions(+)

diff --git a/drivers/net/wireless/ti/wl18xx/event.c b/drivers/net/wireless/ti/wl18xx/event.c
index XXXXXXX..XXXXXXX 100644
--- a/drivers/net/wireless/ti/wl18xx/event.c
+++ b/drivers/net/wireless/ti/wl18xx/event.c
@@ -211,6 +211,12 @@ int wl18xx_process_mailbox_events(struct wl1271 *wl)
 		u8 win_size = mbox->rx_ba_win_size;
 		const u8 *addr;

+		if (link_id >= WLCORE_MAX_LINKS) {
+			wl1271_error("BA event: invalid link_id %u\n",
+				     link_id);
+			goto out;
+		}
+
 		wlvif = wl->links[link_id].wlvif;
 		vif = wl12xx_wlvif_to_vif(wlvif);

From: Tristan Madani <tristan@talencesecurity.com>

The firmware-controlled max_buff_size field is used to compute buffer
offsets in wlcore_event_fw_logger() without validation against the
4128-byte kernel allocation. An inflated value causes out-of-bounds
reads from kernel heap, with the data written to the debugfs-accessible
fwlog ring buffer.

Cap max_buff_size at the allocation size minus the header offset.

Fixes: 3719c17e1816 ("wlcore/wl18xx: fw logger over sdio")
Signed-off-by: Tristan Madani <tristan@talencesecurity.com>
---
drivers/net/wireless/ti/wlcore/event.c | 7 +++++++
 1 file changed, 7 insertions(+)

diff --git a/drivers/net/wireless/ti/wlcore/event.c b/drivers/net/wireless/ti/wlcore/event.c
index XXXXXXX..XXXXXXX 100644
--- a/drivers/net/wireless/ti/wlcore/event.c
+++ b/drivers/net/wireless/ti/wlcore/event.c
@@ -62,6 +62,13 @@ void wlcore_event_fw_logger(struct wl1271 *wl)
 	if (actual_len == 0)
 		goto free_out;

+	if (le32_to_cpu(fw_log.max_buff_size) >
+	    WL18XX_LOGGER_SDIO_BUFF_MAX - WL18XX_LOGGER_BUFF_OFFSET) {
+		wl1271_error("fw logger: max_buff_size %u exceeds buffer\n",
+			     le32_to_cpu(fw_log.max_buff_size));
+		goto free_out;
+	}
+
 	/* Calculate the internal pointer to the fwlog structure */
 	addr_ptr = internal_fw_addrbase + addr;

From: Tristan Madani <tristan@talencesecurity.com>

The firmware-controlled sc_ssid_len and sc_pwd_len values are used as
nla_put sizes from fixed-size mailbox buffers (32 and 64 bytes) without
bounds checking. Values exceeding the buffer sizes cause out-of-bounds
reads delivered to userspace via nl80211 vendor events.

Clamp the lengths to the mailbox buffer sizes before use.

Fixes: e93e15fb47e5 ("wlcore/wl18xx: handle smart config events")
Signed-off-by: Tristan Madani <tristan@talencesecurity.com>
---
drivers/net/wireless/ti/wl18xx/event.c | 3 +++
 1 file changed, 3 insertions(+)

diff --git a/drivers/net/wireless/ti/wl18xx/event.c b/drivers/net/wireless/ti/wl18xx/event.c
index XXXXXXX..XXXXXXX 100644
--- a/drivers/net/wireless/ti/wl18xx/event.c
+++ b/drivers/net/wireless/ti/wl18xx/event.c
@@ -82,6 +82,9 @@ static int wlcore_smart_config_decode_event(struct wl1271 *wl,
 {
 	struct sk_buff *skb;

+	ssid_len = min_t(u8, ssid_len, 32);
+	pwd_len = min_t(u8, pwd_len, 64);
+
 	wl1271_debug(DEBUG_EVENT, "SMART_CONFIG_DECODE_EVENT_ID");
 	wl1271_dump_ascii(DEBUG_EVENT, "SSID:", ssid, ssid_len);