From: Theo Buehler <tb@theobuehler.org>
Subject: Re: iwx: fix firmware image parser error reporting
To: tech@openbsd.org
Date: Tue, 3 Mar 2026 11:26:18 +0100

On Tue, Mar 03, 2026 at 11:20:58AM +0100, Stefan Sperling wrote:
> Make iwx_read_firmware() error out properly if IWX_NUM_UCODE_TLV_CAPA is
> too small. Otherwise, this will return 0 and the driver will proceed with
> an incomplete firmware image and fail to load firmware.
> 
> This error will only be triggered by firmware images we have not yet tested.
> But it's worth fixing nonetheless. I had to waste some time because of this
> bug, trying to understand why BZ -100 firmware wouldn't load.

I'm ok with this. All other idx >= howmany() and size/length checks in
this function set EINVAL, though.

> 
> M  sys/dev/pci/if_iwx.c  |  1+  0-
> 
> 1 file changed, 1 insertion(+), 0 deletions(-)
> 
> commit - 65512a767b3b23fd295d30027f9f431e96edcb8d
> commit + ee964a3aa2e4f44a92786653b54d493395033a1d
> blob - 7356809caeb4f18d86db013fb9fa37ee27fe2b75
> blob + 99db6d7495e97bef7b44d9eeb330e14cbab00c09
> --- sys/dev/pci/if_iwx.c
> +++ sys/dev/pci/if_iwx.c
> @@ -1386,6 +1386,7 @@ iwx_read_firmware(struct iwx_softc *sc)
>  			capa = (struct iwx_ucode_capa *)tlv_data;
>  			idx = le32toh(capa->api_index);
>  			if (idx >= howmany(IWX_NUM_UCODE_TLV_CAPA, 32)) {
> +				err = E2BIG;
>  				goto parse_out;
>  			}
>  			for (i = 0; i < 32; i++) {
>