From: stsp Date: Wed, 5 Jan 2022 16:33:42 +0000 (+0000) Subject: In iwx(4), fix wrong pointer assignment in iwx_bar_frame_release(). X-Git-Url: http://artulab.com/gitweb/?a=commitdiff_plain;h=60a617df62818dea1230efd322bef32f1e83a0f5;p=openbsd In iwx(4), fix wrong pointer assignment in iwx_bar_frame_release(). This bug caused the driver to read block ack request information sent by firmware from the wrong offset. The driver flushes buffered frames and moves its Rx block ack window based on this information. Possible consequences of this bug are packet loss or even stalled traffic if the Rx BA window gets out of sync between driver and firmware. Though this effect might get cancelled out when the driver re-syncs the BA window in its regular Rx code path. Spotted by Christian Ehrhardt. --- diff --git a/sys/dev/pci/if_iwx.c b/sys/dev/pci/if_iwx.c index 5dd6eed3612..a24a6208694 100644 --- a/sys/dev/pci/if_iwx.c +++ b/sys/dev/pci/if_iwx.c @@ -1,4 +1,4 @@ -/* $OpenBSD: if_iwx.c,v 1.130 2022/01/04 15:55:28 stsp Exp $ */ +/* $OpenBSD: if_iwx.c,v 1.131 2022/01/05 16:33:42 stsp Exp $ */ /* * Copyright (c) 2014, 2016 genua gmbh @@ -2916,7 +2916,7 @@ iwx_rx_bar_frame_release(struct iwx_softc *sc, struct iwx_rx_packet *pkt, { struct ieee80211com *ic = &sc->sc_ic; struct ieee80211_node *ni = ic->ic_bss; - struct iwx_bar_frame_release *release = (void *)data; + struct iwx_bar_frame_release *release = (void *)pkt->data; struct iwx_reorder_buffer *buf; struct iwx_rxba_data *rxba; unsigned int baid, nssn, sta_id, tid;