From: Doruk Tan Ozturk <doruk@0sec.ai>
To: Christian Lamparter <chunkeey@googlemail.com>,
Johannes Berg <johannes@sipsolutions.net>,
Jeff Johnson <jeff.johnson@oss.qualcomm.com>
Cc: linux-wireless@vger.kernel.org, linux-kernel@vger.kernel.org,
stable@vger.kernel.org
Subject: [PATCH] wifi: carl9170: clamp command response copy to the read buffer size
Date: Sat, 20 Jun 2026 00:48:18 +0200 [thread overview]
Message-ID: <20260619224818.90751-1-doruk@0sec.ai> (raw)
carl9170_cmd_callback() copies len - 4 bytes from the device command
response into ar->readbuf, which was allocated by the caller with
ar->readlen bytes. When the firmware/device returns a response whose
payload is larger than the requested ar->readlen, the mismatch is only
logged (and the device is restarted via carl9170_restart()); the code
then still performs the full-length memcpy(), writing past the end of
ar->readbuf -- an out-of-bounds write driven by an attacker-controlled
(malicious/compromised) carl9170 USB device.
Clamp the copy to ar->readlen so an over-sized response can never write
past the caller's buffer. A response that fails the length check is
already discarded by the restart, so copying only the buffer-sized
prefix changes nothing for the valid path.
Reported-by: syzbot+5c1ca6ccaa1215781cac@syzkaller.appspotmail.com
Tested-by: syzbot+5c1ca6ccaa1215781cac@syzkaller.appspotmail.com
Closes: https://syzkaller.appspot.com/bug?extid=5c1ca6ccaa1215781cac
Fixes: a84fab3cbfdc ("carl9170: 802.11 rx/tx processing and usb backend")
Cc: stable@vger.kernel.org
Signed-off-by: Doruk Tan Ozturk <doruk@0sec.ai>
---
Verified with syzbot via "#syz test" against the public C reproducer
(Tested-by above); I do not have carl9170 hardware locally.
drivers/net/wireless/ath/carl9170/rx.c | 3 ++-
1 file changed, 2 insertions(+), 1 deletion(-)
diff --git a/drivers/net/wireless/ath/carl9170/rx.c b/drivers/net/wireless/ath/carl9170/rx.c
index 908c4c8..897e682 100644
--- a/drivers/net/wireless/ath/carl9170/rx.c
+++ b/drivers/net/wireless/ath/carl9170/rx.c
@@ -150,7 +150,8 @@ static void carl9170_cmd_callback(struct ar9170 *ar, u32 len, void *buffer)
spin_lock(&ar->cmd_lock);
if (ar->readbuf) {
if (len >= 4)
- memcpy(ar->readbuf, buffer + 4, len - 4);
+ memcpy(ar->readbuf, buffer + 4,
+ min_t(unsigned int, len - 4, ar->readlen));
ar->readbuf = NULL;
}
--
2.43.0
next reply other threads:[~2026-06-19 22:48 UTC|newest]
Thread overview: 4+ messages / expand[flat|nested] mbox.gz Atom feed top
2026-06-19 22:48 Doruk Tan Ozturk [this message]
2026-06-21 8:17 ` [PATCH] wifi: carl9170: clamp command response copy to the read buffer size Christian Lamparter
2026-06-21 10:24 ` Doruk (0sec)
-- strict thread matches above, loose matches on Subject: below --
2026-06-25 23:46 Tristan Madani
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20260619224818.90751-1-doruk@0sec.ai \
--to=doruk@0sec.ai \
--cc=chunkeey@googlemail.com \
--cc=jeff.johnson@oss.qualcomm.com \
--cc=johannes@sipsolutions.net \
--cc=linux-kernel@vger.kernel.org \
--cc=linux-wireless@vger.kernel.org \
--cc=stable@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox