From 1463c4a17f9415d26440a4b0f159e3d318d1f2ea Mon Sep 17 00:00:00 2001
From: Chun-Yi Lee <jlee@suse.com>
Date: Mar 25 2024 15:56:17 +0000
Subject: wifi: ath10k: fix NULL pointer dereference in

ath10k_wmi_tlv_op_pull_mgmt_tx_compl_ev() (bsc#1218336
CVE-2023-7042).

---

diff --git a/patches.suse/wifi-ath10k-fix-NULL-pointer-dereference-in-ath10k_w.patch b/patches.suse/wifi-ath10k-fix-NULL-pointer-dereference-in-ath10k_w.patch
new file mode 100644
index 0000000..95d48b5
--- /dev/null
+++ b/patches.suse/wifi-ath10k-fix-NULL-pointer-dereference-in-ath10k_w.patch
@@ -0,0 +1,35 @@
+From: Xingyuan Mo <hdthky0@gmail.com>
+Date: Sun, 17 Dec 2023 13:29:01 +0200
+Subject: wifi: ath10k: fix NULL pointer dereference in
+ ath10k_wmi_tlv_op_pull_mgmt_tx_compl_ev()
+Patch-mainline: v6.9-rc1
+Git-commit: ad25ee36f00172f7d53242dc77c69fff7ced0755
+References: bsc#1218336 CVE-2023-7042
+
+We should check whether the WMI_TLV_TAG_STRUCT_MGMT_TX_COMPL_EVENT tlv is
+present before accessing it, otherwise a null pointer deference error will
+occur.
+
+Fixes: dc405152bb64 ("ath10k: handle mgmt tx completion event")
+Signed-off-by: Xingyuan Mo <hdthky0@gmail.com>
+Acked-by: Jeff Johnson <quic_jjohnson@quicinc.com>
+Signed-off-by: Kalle Valo <quic_kvalo@quicinc.com>
+Link: https://msgid.link/20231208043433.271449-1-hdthky0@gmail.com
+Acked-by: Chun-Yi Lee <jlee@suse.com>
+---
+ drivers/net/wireless/ath/ath10k/wmi-tlv.c |    4 ++++
+ 1 file changed, 4 insertions(+)
+
+--- a/drivers/net/wireless/ath/ath10k/wmi-tlv.c
++++ b/drivers/net/wireless/ath/ath10k/wmi-tlv.c
+@@ -678,6 +678,10 @@ ath10k_wmi_tlv_op_pull_mgmt_tx_compl_ev(
+ 	}
+ 
+ 	ev = tb[WMI_TLV_TAG_STRUCT_MGMT_TX_COMPL_EVENT];
++	if (!ev) {
++		kfree(tb);
++		return -EPROTO;
++	}
+ 
+ 	arg->desc_id = ev->desc_id;
+ 	arg->status = ev->status;
diff --git a/series.conf b/series.conf
index 5579939..d3b9ae4 100644
--- a/series.conf
+++ b/series.conf
@@ -65025,6 +65025,7 @@
 	patches.suse/SUNRPC-fix-some-memleaks-in-gssx_dec_option_array.patch
 	patches.suse/NFSD-Reset-cb_seq_status-after-NFS4ERR_DELAY.patch
 	patches.suse/NFSD-Retransmit-callbacks-after-client-reconnects.patch
+	patches.suse/wifi-ath10k-fix-NULL-pointer-dereference-in-ath10k_w.patch
 	patches.suse/net-sunrpc-Fix-an-off-by-one-in-rpc_sockaddr2uaddr.patch
 	patches.suse/NFS-Fix-an-off-by-one-in-root_nfs_cat.patch