[PATCH] wifi: libertas: fix integer underflow in process_cmdrequest()

Next message: Herbert Xu: "Re: [PATCH for-7.1-fixes 1/2] rhashtable: add no_sync_grow option"
Previous message: Rob Herring (Arm): "Re: [PATCH v4 3/4] dt-bindings: gpio: describe Waveshare GPIO controller"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

From: Amir Mohammad Jahangirzad

Date: Fri Apr 17 2026 - 20:43:16 EST

The existing validation only checks if recvlength exceeds
LBS_CMD_BUFFER_SIZE, but doesn't check the lower bound. When a
USB device sends a response shorter than MESSAGE_HEADER_LEN, the
subtraction (recvlength - MESSAGE_HEADER_LEN) wraps to a huge
value, causing memcpy to corrupt the heap.
Add the same lower bound check that libertas_tf already has.

Signed-off-by: Amir Mohammad Jahangirzad <a.jahangirzad@xxxxxxxxx>
---
drivers/net/wireless/marvell/libertas/if_usb.c | 5 +++--
1 file changed, 3 insertions(+), 2 deletions(-)

diff --git a/drivers/net/wireless/marvell/libertas/if_usb.c b/drivers/net/wireless/marvell/libertas/if_usb.c
index 8a6bf1365..42d3fd32e 100644
--- a/drivers/net/wireless/marvell/libertas/if_usb.c
+++ b/drivers/net/wireless/marvell/libertas/if_usb.c
@@ -625,9 +625,10 @@ static inline void process_cmdrequest(int recvlength, uint8_t *recvbuff,
unsigned long flags;
u8 i;

- if (recvlength > LBS_CMD_BUFFER_SIZE) {
+ if (recvlength < MESSAGE_HEADER_LEN ||
+ recvlength > LBS_CMD_BUFFER_SIZE) {
lbs_deb_usbd(&cardp->udev->dev,
- "The receive buffer is too large\n");
+ "The receive buffer is invalid: %d\n", recvlength);
kfree_skb(skb);
return;
}
--
2.53.0