Mailing List Archive

From:: Stefan Sperling <stsp@stsp.name>
Subject:: iwx: fix firmware image parser error reporting
To:: tech@openbsd.org
Date:: Tue, 3 Mar 2026 11:20:58 +0100

Download raw body.

Thread

2026-03-03 10:20 Stefan Sperling:
iwx: fix firmware image parser error reporting
- 2026-03-03 10:26 Theo Buehler:
  iwx: fix firmware image parser error reporting
- - 2026-03-03 10:34 Stefan Sperling:
    iwx: fix firmware image parser error reporting

Make iwx_read_firmware() error out properly if IWX_NUM_UCODE_TLV_CAPA is
too small. Otherwise, this will return 0 and the driver will proceed with
an incomplete firmware image and fail to load firmware.

This error will only be triggered by firmware images we have not yet tested.
But it's worth fixing nonetheless. I had to waste some time because of this
bug, trying to understand why BZ -100 firmware wouldn't load.

M  sys/dev/pci/if_iwx.c  |  1+  0-

1 file changed, 1 insertion(+), 0 deletions(-)

commit - 65512a767b3b23fd295d30027f9f431e96edcb8d
commit + ee964a3aa2e4f44a92786653b54d493395033a1d
blob - 7356809caeb4f18d86db013fb9fa37ee27fe2b75
blob + 99db6d7495e97bef7b44d9eeb330e14cbab00c09
--- sys/dev/pci/if_iwx.c
+++ sys/dev/pci/if_iwx.c
@@ -1386,6 +1386,7 @@ iwx_read_firmware(struct iwx_softc *sc)
 			capa = (struct iwx_ucode_capa *)tlv_data;
 			idx = le32toh(capa->api_index);
 			if (idx >= howmany(IWX_NUM_UCODE_TLV_CAPA, 32)) {
+				err = E2BIG;
 				goto parse_out;
 			}
 			for (i = 0; i < 32; i++) {

2026-03-03 10:20 Stefan Sperling:
iwx: fix firmware image parser error reporting
- 2026-03-03 10:26 Theo Buehler:
  iwx: fix firmware image parser error reporting
- - 2026-03-03 10:34 Stefan Sperling:
    iwx: fix firmware image parser error reporting