In iwx(4), fix wrong pointer assignment in iwx_bar_frame_release().

This bug caused the driver to read block ack request information sent
by firmware from the wrong offset. The driver flushes buffered frames
and moves its Rx block ack window based on this information. Possible
consequences of this bug are packet loss or even stalled traffic if
the Rx BA window gets out of sync between driver and firmware. Though
this effect might get cancelled out when the driver re-syncs the BA
window in its regular Rx code path.

Spotted by Christian Ehrhardt.

diff --git a/sys/dev/pci/if_iwx.c b/sys/dev/pci/if_iwx.c
index 5dd6eed..a24a620 100644 (file)
--- a/sys/dev/pci/if_iwx.c
+++ b/sys/dev/pci/if_iwx.c
@@ -1,4 +1,4 @@
-/*     $OpenBSD: if_iwx.c,v 1.130 2022/01/04 15:55:28 stsp Exp $       */
+/*     $OpenBSD: if_iwx.c,v 1.131 2022/01/05 16:33:42 stsp Exp $       */
 
 /*
  * Copyright (c) 2014, 2016 genua gmbh <info@genua.de>
@@ -2916,7 +2916,7 @@ iwx_rx_bar_frame_release(struct iwx_softc *sc, struct iwx_rx_packet *pkt,
 {
        struct ieee80211com *ic = &sc->sc_ic;
        struct ieee80211_node *ni = ic->ic_bss;
-       struct iwx_bar_frame_release *release = (void *)data;
+       struct iwx_bar_frame_release *release = (void *)pkt->data;
        struct iwx_reorder_buffer *buf;
        struct iwx_rxba_data *rxba;
        unsigned int baid, nssn, sta_id, tid;