From: Stefan Sperling <stsp@stsp.name>
Subject: Re: iwx: fix firmware image parser error reporting
To: Theo Buehler <tb@theobuehler.org>
Cc: tech@openbsd.org
Date: Tue, 3 Mar 2026 11:34:39 +0100

On Tue, Mar 03, 2026 at 11:26:18AM +0100, Theo Buehler wrote:
> On Tue, Mar 03, 2026 at 11:20:58AM +0100, Stefan Sperling wrote:
> > Make iwx_read_firmware() error out properly if IWX_NUM_UCODE_TLV_CAPA is
> > too small. Otherwise, this will return 0 and the driver will proceed with
> > an incomplete firmware image and fail to load firmware.
> > 
> > This error will only be triggered by firmware images we have not yet tested.
> > But it's worth fixing nonetheless. I had to waste some time because of this
> > bug, trying to understand why BZ -100 firmware wouldn't load.
> 
> I'm ok with this. All other idx >= howmany() and size/length checks in
> this function set EINVAL, though.

Thanks. And yes, EINVAL also works for me and consistency is good.

> > M  sys/dev/pci/if_iwx.c  |  1+  0-
> > 
> > 1 file changed, 1 insertion(+), 0 deletions(-)
> > 
> > commit - 65512a767b3b23fd295d30027f9f431e96edcb8d
> > commit + ee964a3aa2e4f44a92786653b54d493395033a1d
> > blob - 7356809caeb4f18d86db013fb9fa37ee27fe2b75
> > blob + 99db6d7495e97bef7b44d9eeb330e14cbab00c09
> > --- sys/dev/pci/if_iwx.c
> > +++ sys/dev/pci/if_iwx.c
> > @@ -1386,6 +1386,7 @@ iwx_read_firmware(struct iwx_softc *sc)
> >  			capa = (struct iwx_ucode_capa *)tlv_data;
> >  			idx = le32toh(capa->api_index);
> >  			if (idx >= howmany(IWX_NUM_UCODE_TLV_CAPA, 32)) {
> > +				err = E2BIG;
> >  				goto parse_out;
> >  			}
> >  			for (i = 0; i < 32; i++) {
> > 
> 
>