wifi: wl1251: validate packet IDs before indexing tx_frames

wl1251_tx_packet_cb() uses the firmware completion ID directly to index
the fixed 16-entry wl->tx_frames[] array. The ID is a raw u8 from the
completion block, and the callback does not currently verify that it
fits the array before dereferencing it.

Reject completion IDs that fall outside wl->tx_frames[] and keep the
existing NULL check in the same guard. This keeps the fix local to the
trust boundary and avoids touching the rest of the completion flow.

Signed-off-by: Pengpeng Hou <pengpeng@iscas.ac.cn>
Link: https://patch.msgid.link/20260323080845.40033-1-pengpeng@iscas.ac.cn
Signed-off-by: Johannes Berg <johannes.berg@intel.com>

diff --git a/drivers/net/wireless/ti/wl1251/tx.c b/drivers/net/wireless/ti/wl1251/tx.c
index 2da8c0d5105bd3357b8290fd5d74d8cebd31b7a7..4489aa77bb0fa9bafbe485f2a5f237ae697bd91b 100644 (file)
--- a/drivers/net/wireless/ti/wl1251/tx.c
+++ b/drivers/net/wireless/ti/wl1251/tx.c
@@ -402,12 +402,14 @@ static void wl1251_tx_packet_cb(struct wl1251 *wl,
        int hdrlen;
        u8 *frame;
 
-       skb = wl->tx_frames[result->id];
-       if (skb == NULL) {
-               wl1251_error("SKB for packet %d is NULL", result->id);
+       if (unlikely(result->id >= ARRAY_SIZE(wl->tx_frames) ||
+                    wl->tx_frames[result->id] == NULL)) {
+               wl1251_error("invalid packet id %u", result->id);
                return;
        }
 
+       skb = wl->tx_frames[result->id];
+
        info = IEEE80211_SKB_CB(skb);
 
        if (!(info->flags & IEEE80211_TX_CTL_NO_ACK) &&