From: Kevin Lo <kevlo@kevlo.org>
Subject: signed overflow in ieee80211_40mhz_valid_secondary_below()
To: tech@openbsd.org
Date: Mon, 11 May 2026 16:18:47 +0800

Hi,

I set up an OpenWrt AP with primary channel 161 and 80 MHz bandwidth
(VHT center channel 155, HT40-), and observed that iwx(4) connecting to
this AP ends up at 20MHz instead of 80.
  
AP side:
# iw wlan0 station dump | grep "bitrate"
        tx bitrate:     144.4 MBit/s VHT-MCS 7 short GI VHT-NSS 2
        rx bitrate:     156.0 MBit/s VHT-MCS 8 VHT-NSS 2
  
The absence of a width tag after the bitrate indicates the station is operating
at 20MHz only.

I found a signed overflow in ieee80211_40mhz_valid_secondary_below()
after investigating.  The secondary_chan variable should be uint8_t
instead of int8_t, matching ieee80211_40mhz_valid_secondary_above().

With this change the AP side dump becomes:
# iw wlan0 station dump | grep "bitrate"
        tx bitrate:     520.0 MBit/s VHT-MCS 5 80MHz short GI VHT-NSS 2
        rx bitrate:     866.7 MBit/s VHT-MCS 9 80MHz short GI VHT-NSS 2

ok?

Index: sys/net80211/ieee80211_node.c
===================================================================
RCS file: /cvs/src/sys/net80211/ieee80211_node.c,v
diff -u -p -u -p -r1.214 ieee80211_node.c
--- sys/net80211/ieee80211_node.c	30 Mar 2026 13:59:19 -0000	1.214
+++ sys/net80211/ieee80211_node.c	11 May 2026 07:53:23 -0000
@@ -2477,7 +2477,7 @@ ieee80211_40mhz_valid_secondary_below(ui
 		1, 2, 3, 4, 5, 6, 7, 8, 9,
 		36, 44, 52, 60, 100, 108, 116, 124, 132, 140, 149, 157
 	};
-	int8_t secondary_chan;
+	uint8_t secondary_chan;
 	int i;
 
 	if ((primary_chan >= 5 && primary_chan <= 13) ||