Re: [PATCH] net: ath10k: fix OOB: __ath10k_htt_rx_ring_fill_n

Zekun Shen wrote: > The idx in __ath10k_htt_rx_ring_fill_n function lives in > consistent dma region writable by the device. Malfunctional > or malicious device could manipulate such idx to have a OOB > write. Either by > htt->rx_ring.netbufs_ring[idx] = skb; > or by > ath10k_htt_set_padd

Re: [PATCH] net: ath10k: fix OOB: __ath10k_htt_rx_ring_fill_n

Zekun Shen writes: > The idx in __ath10k_htt_rx_ring_fill_n function lives in > consistent dma region writable by the device. Malfunctional > or malicious device could manipulate such idx to have a OOB > write. Either by > htt->rx_ring.netbufs_ring[idx] = skb; > or by > ath10k_htt_set_pad

[PATCH] net: ath10k: fix OOB: __ath10k_htt_rx_ring_fill_n

The idx in __ath10k_htt_rx_ring_fill_n function lives in consistent dma region writable by the device. Malfunctional or malicious device could manipulate such idx to have a OOB write. Either by htt->rx_ring.netbufs_ring[idx] = skb; or by ath10k_htt_set_paddrs_ring(htt, paddr, idx); The idx