[PATCH v2 3/3] wifi: carl9170: fix buffer overflow in rx_stream failover path

Next message: Tristan Madani: "[PATCH v2 1/3] wifi: carl9170: bound memcpy length in cmd callback to prevent OOB read"
Previous message: Tristan Madani: "[PATCH v2 2/5] wifi: rsi: fix integer underflow from firmware extended_desc in rsi_prepare_skb()"
In reply to: Tristan Madani: "[PATCH v2 0/3] wifi: carl9170: fix buffer overflow and OOB reads in firmware response handling"
Next in thread: Tristan Madani: "[PATCH v2 1/3] wifi: carl9170: bound memcpy length in cmd callback to prevent OOB read"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

From: Tristan Madani

Date: Wed Apr 15 2026 - 18:23:48 EST

From: Tristan Madani <tristan@xxxxxxxxxxxxxxxxxxx>

The failover continuation in carl9170_rx_stream() copies the full tlen
from the second USB transfer instead of capping at rx_failover_missing
bytes. When both transfers are near maximum size, the total exceeds the
65535-byte failover SKB, triggering skb_over_panic.

Limit the copy size to the missing byte count.

Fixes: a84fab3cbfdc ("carl9170: 802.11 rx/tx processing and usb backend")
Signed-off-by: Tristan Madani <tristan@xxxxxxxxxxxxxxxxxxx>
---
drivers/net/wireless/ath/carl9170/rx.c | 4 +++-
1 file changed, 3 insertions(+), 1 deletion(-)

diff --git a/drivers/net/wireless/ath/carl9170/rx.c b/drivers/net/wireless/ath/carl9170/rx.c
index XXXXXXX..XXXXXXX 100644
--- a/drivers/net/wireless/ath/carl9170/rx.c
+++ b/drivers/net/wireless/ath/carl9170/rx.c
@@ -918,7 +918,9 @@ static void carl9170_rx_stream(struct ar9170 *ar, void *buf, unsigned int len)
}
}

- skb_put_data(ar->rx_failover, tbuf, tlen);
+ skb_put_data(ar->rx_failover, tbuf,
+ min_t(unsigned int, tlen,
+ ar->rx_failover_missing));
ar->rx_failover_missing -= tlen;

if (ar->rx_failover_missing <= 0) {