[PATCH v3 2/5] wifi: rsi: fix OOB read from firmware-claimed length exceeding actual frame size
From: Tristan Madani
Date: Tue Apr 21 2026 - 09:55:41 EST
From: Tristan Madani <tristan@xxxxxxxxxxxxxxxxxxx>
The firmware-controlled length field (12-bit, up to 4095) from the RX
descriptor is used as the memcpy size in rsi_prepare_skb(). No check
ensures this claimed length fits within the actual received data.
A malicious or malfunctioning firmware can cause out-of-bounds reads
past the RX buffer, leaking kernel heap contents into skbs delivered
to mac80211.
Add a bounds check in rsi_read_pkt() to reject frames where offset +
length exceeds actual_length.
Fixes: dad0d04fa7ba ("rsi: data and management rx path")
Signed-off-by: Tristan Madani <tristan@xxxxxxxxxxxxxxxxxxx>
---
Changes in v3:
- Regenerated from wireless-next with proper git format-patch to
produce valid index hashes (v2 had post-processed index lines).
Changes in v2:
- No code changes from v1.
drivers/net/wireless/rsi/rsi_91x_main.c | 6 ++++++
1 file changed, 6 insertions(+)
diff --git a/drivers/net/wireless/rsi/rsi_91x_main.c b/drivers/net/wireless/rsi/rsi_91x_main.c
index 2ff7068bad7a7..9901bd53cc844 100644
--- a/drivers/net/wireless/rsi/rsi_91x_main.c
+++ b/drivers/net/wireless/rsi/rsi_91x_main.c
@@ -181,6 +181,12 @@ int rsi_read_pkt(struct rsi_common *common, u8 *rx_pkt, s32 rcv_pkt_len)
queueno = rsi_get_queueno(frame_desc, offset);
length = rsi_get_length(frame_desc, offset);
+ if (offset + length > actual_length) {
+ rsi_dbg(ERR_ZONE,
+ "%s: frame overflows: offset %u + len %u > actual %u\n",
+ __func__, offset, length, actual_length);
+ goto fail;
+ }
/* Extended descriptor is valid for WLAN queues only */
if (queueno == RSI_WIFI_DATA_Q || queueno == RSI_WIFI_MGMT_Q)
extended_desc = rsi_get_extended_desc(frame_desc,
--
2.47.3