Dan Carpenter <dan.carpenter@xxxxxxxxxx> wrote:
> The value of "htc_hdr->endpoint_id" comes from skb->data so Smatch marks
> it as untrusted so we have to check it before using it as an array
> offset.
>
> This is similar to a bug that syzkaller found in commit e4ff08a4d727
> ("ath9k: Fix use-after-free Write in ath9k_htc_rx_msg") so it is
> probably a real issue.
>
> Fixes: fb9987d0f748 ("ath9k_htc: Support for AR9271 chipset.")
> Signed-off-by: Dan Carpenter <dan.carpenter@xxxxxxxxxx>
> Signed-off-by: Kalle Valo <kvalo@xxxxxxxxxxxxxx>
Patch applied to ath-next branch of ath.git, thanks.
2705cd7558e7 ath9k: Fix potential out of bounds in ath9k_htc_txcompletion_cb()
--
https://patchwork.kernel.org/patch/11712553/
https://wireless.wiki.kernel.org/en/developers/documentation/submittingpatches
