From 60a617df62818dea1230efd322bef32f1e83a0f5 Mon Sep 17 00:00:00 2001 From: stsp Date: Wed, 5 Jan 2022 16:33:42 +0000 Subject: [PATCH] In iwx(4), fix wrong pointer assignment in iwx_bar_frame_release(). This bug caused the driver to read block ack request information sent by firmware from the wrong offset. The driver flushes buffered frames and moves its Rx block ack window based on this information. Possible consequences of this bug are packet loss or even stalled traffic if the Rx BA window gets out of sync between driver and firmware. Though this effect might get cancelled out when the driver re-syncs the BA window in its regular Rx code path. Spotted by Christian Ehrhardt. --- sys/dev/pci/if_iwx.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/sys/dev/pci/if_iwx.c b/sys/dev/pci/if_iwx.c index 5dd6eed3612..a24a6208694 100644 --- a/sys/dev/pci/if_iwx.c +++ b/sys/dev/pci/if_iwx.c @@ -1,4 +1,4 @@ -/* $OpenBSD: if_iwx.c,v 1.130 2022/01/04 15:55:28 stsp Exp $ */ +/* $OpenBSD: if_iwx.c,v 1.131 2022/01/05 16:33:42 stsp Exp $ */ /* * Copyright (c) 2014, 2016 genua gmbh @@ -2916,7 +2916,7 @@ iwx_rx_bar_frame_release(struct iwx_softc *sc, struct iwx_rx_packet *pkt, { struct ieee80211com *ic = &sc->sc_ic; struct ieee80211_node *ni = ic->ic_bss; - struct iwx_bar_frame_release *release = (void *)data; + struct iwx_bar_frame_release *release = (void *)pkt->data; struct iwx_reorder_buffer *buf; struct iwx_rxba_data *rxba; unsigned int baid, nssn, sta_id, tid; -- 2.20.1