From: pip-izony <eeodqql09@gmail.com>
To: Hin-Tak Leung <hintak.leung@gmail.com>
Cc: Seungjin Bae <eeodqql09@gmail.com>,
Kyungtae Kim <Kyungtae.Kim@dartmouth.edu>,
linux-wireless@vger.kernel.org, linux-kernel@vger.kernel.org
Subject: [PATCH] rtl8187: Fix potential buffer underflow in rtl8187_rx_cb()
Date: Thu, 13 Nov 2025 13:46:27 -0500 [thread overview]
Message-ID: <20251113184626.748717-2-eeodqql09@gmail.com> (raw)
From: Seungjin Bae <eeodqql09@gmail.com>
The rtl8187_rx_cb() calculates the rx descriptor header address
by subtracting its size from the skb tail pointer.
However, it does not validate if the received packet
(skb->len from urb->actual_length) is large enough to contain this
header.
If a truncated packet is received, this will lead to a buffer
underflow, reading memory before the start of the skb data area,
and causing a kernel panic.
This patch adds length checks for both rtl8187 and rtl8187b descriptor
headers before attempting to access them, dropping the packet cleanly
if the check fails.
Fixes: 6f7853f3cbe4 ("rtl8187: change rtl8187_dev.c to support RTL8187B (part 2)")
Signed-off-by: Seungjin Bae <eeodqql09@gmail.com>
---
drivers/net/wireless/realtek/rtl818x/rtl8187/dev.c | 8 ++++++++
1 file changed, 8 insertions(+)
diff --git a/drivers/net/wireless/realtek/rtl818x/rtl8187/dev.c b/drivers/net/wireless/realtek/rtl818x/rtl8187/dev.c
index 0c5c66401daa..eff42acc11a0 100644
--- a/drivers/net/wireless/realtek/rtl818x/rtl8187/dev.c
+++ b/drivers/net/wireless/realtek/rtl818x/rtl8187/dev.c
@@ -344,6 +344,10 @@ static void rtl8187_rx_cb(struct urb *urb)
}
if (!priv->is_rtl8187b) {
+ if (skb->len < sizeof(struct rtl8187_rx_hdr)) {
+ dev_kfree_skb_irq(skb);
+ return;
+ }
struct rtl8187_rx_hdr *hdr =
(typeof(hdr))(skb_tail_pointer(skb) - sizeof(*hdr));
flags = le32_to_cpu(hdr->flags);
@@ -355,6 +359,10 @@ static void rtl8187_rx_cb(struct urb *urb)
rx_status.antenna = (hdr->signal >> 7) & 1;
rx_status.mactime = le64_to_cpu(hdr->mac_time);
} else {
+ if (skb->len < sizeof(struct rtl8187b_rx_hdr)) {
+ dev_kfree_skb_irq(skb);
+ return;
+ }
struct rtl8187b_rx_hdr *hdr =
(typeof(hdr))(skb_tail_pointer(skb) - sizeof(*hdr));
/* The Realtek datasheet for the RTL8187B shows that the RX
--
2.43.0
next reply other threads:[~2025-11-13 18:47 UTC|newest]
Thread overview: 7+ messages / expand[flat|nested] mbox.gz Atom feed top
2025-11-13 18:46 pip-izony [this message]
2025-11-17 4:01 ` [PATCH] rtl8187: Fix potential buffer underflow in rtl8187_rx_cb() Ping-Ke Shih
2025-11-17 18:09 ` [PATCH v2] " pip-izony
2025-11-17 18:38 ` Markus Elfring
2025-11-17 18:52 ` Markus Elfring
2025-11-18 1:32 ` [PATCH v3] " pip-izony
2025-11-21 3:45 ` Ping-Ke Shih
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20251113184626.748717-2-eeodqql09@gmail.com \
--to=eeodqql09@gmail.com \
--cc=Kyungtae.Kim@dartmouth.edu \
--cc=hintak.leung@gmail.com \
--cc=linux-kernel@vger.kernel.org \
--cc=linux-wireless@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.