From: Stefan Sperling <stsp@stsp.name>
Subject: Re: signed overflow in ieee80211_40mhz_valid_secondary_below()
To: Kevin Lo <kevlo@kevlo.org>
Cc: tech@openbsd.org
Date: Mon, 11 May 2026 12:33:28 +0200

On Mon, May 11, 2026 at 04:18:47PM +0800, Kevin Lo wrote:
> Hi,
> 
> I set up an OpenWrt AP with primary channel 161 and 80 MHz bandwidth
> (VHT center channel 155, HT40-), and observed that iwx(4) connecting to
> this AP ends up at 20MHz instead of 80.
>   
> AP side:
> # iw wlan0 station dump | grep "bitrate"
>         tx bitrate:     144.4 MBit/s VHT-MCS 7 short GI VHT-NSS 2
>         rx bitrate:     156.0 MBit/s VHT-MCS 8 VHT-NSS 2
>   
> The absence of a width tag after the bitrate indicates the station is operating
> at 20MHz only.
> 
> I found a signed overflow in ieee80211_40mhz_valid_secondary_below()
> after investigating.  The secondary_chan variable should be uint8_t
> instead of int8_t, matching ieee80211_40mhz_valid_secondary_above().
> 
> With this change the AP side dump becomes:
> # iw wlan0 station dump | grep "bitrate"
>         tx bitrate:     520.0 MBit/s VHT-MCS 5 80MHz short GI VHT-NSS 2
>         rx bitrate:     866.7 MBit/s VHT-MCS 9 80MHz short GI VHT-NSS 2
> 
> ok?

ok stsp@, thanks!
 
> Index: sys/net80211/ieee80211_node.c
> ===================================================================
> RCS file: /cvs/src/sys/net80211/ieee80211_node.c,v
> diff -u -p -u -p -r1.214 ieee80211_node.c
> --- sys/net80211/ieee80211_node.c	30 Mar 2026 13:59:19 -0000	1.214
> +++ sys/net80211/ieee80211_node.c	11 May 2026 07:53:23 -0000
> @@ -2477,7 +2477,7 @@ ieee80211_40mhz_valid_secondary_below(ui
>  		1, 2, 3, 4, 5, 6, 7, 8, 9,
>  		36, 44, 52, 60, 100, 108, 116, 124, 132, 140, 149, 157
>  	};
> -	int8_t secondary_chan;
> +	uint8_t secondary_chan;
>  	int i;
>  
>  	if ((primary_chan >= 5 && primary_chan <= 13) ||
> 
>