[PATCH] wifi: ar5523: fix integer underflow in ar5523_data_rx_cb()

Next message: Yury Norov: "Re: [PATCH 1/2] rust: add BitInt integer wrapping type"
Previous message: Timur Tabi: "Re: [PATCH v2 00/12] nova-core: Complete GSP boot and begin RPC communication"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

From: pip-izony

Date: Mon Nov 03 2025 - 14:56:32 EST

From: Seungjin Bae <eeodqql09@xxxxxxxxx>

In ar5523_data_rx_cb(), the `rxlen` variable is derived from desc->len,
which is provided by the USB device.

The function checks for an upper bound (rxlen > ar->rxbufsz) and for a
zero value (!rxlen), but it fails to check for a proper lower bound
against the size of the descriptor.

If a malicious device provides an `rxlen` value that is positive
but smaller than sizeof(struct ar5523_rx_desc), the subtraction in
the call to skb_put() will result in an integer underflow.

This passes a very large unsigned value to skb_put(), which then
triggers a kernel panic upon detecting the potential buffer overflow.

Fix this by adding a check to ensure `rxlen` is at least
sizeof(struct ar5523_rx_desc) before performing the substraction.

Fixes: b7d572e1871df ("ar5523: Add new driver")
Signed-off-by: Seungjin Bae <eeodqql09@xxxxxxxxx>
---
drivers/net/wireless/ath/ar5523/ar5523.c | 6 ++++++
1 file changed, 6 insertions(+)

diff --git a/drivers/net/wireless/ath/ar5523/ar5523.c b/drivers/net/wireless/ath/ar5523/ar5523.c
index 1230e6278f23..dfaccf241560 100644
--- a/drivers/net/wireless/ath/ar5523/ar5523.c
+++ b/drivers/net/wireless/ath/ar5523/ar5523.c
@@ -589,6 +589,12 @@ static void ar5523_data_rx_cb(struct urb *urb)
goto skip;
}

+ if (rxlen < sizeof(struct ar5523_rx_desc)) {
+ ar5523_dbg(ar, "RX: Bad descriptor (len=%d is too small)\n",
+ rxlen);
+ goto skip;
+ }
+
skb_reserve(data->skb, sizeof(*chunk));
skb_put(data->skb, rxlen - sizeof(struct ar5523_rx_desc));

--
2.43.0