From: pip-izony <eeodqql09@gmail.com>
To: Jeff Johnson <jeff.johnson@oss.qualcomm.com>,
Kees Cook <kees@kernel.org>
Cc: Seungjin Bae <eeodqql09@gmail.com>,
Kyungtae Kim <Kyungtae.Kim@dartmouth.edu>,
Pontus Fuchs <pontus.fuchs@gmail.com>,
"John W . Linville" <linville@tuxdriver.com>,
linux-wireless@vger.kernel.org, linux-kernel@vger.kernel.org
Subject: [PATCH v2] wifi: ar5523: validate rxlen against descriptor size and usblen in ar5523_data_rx_cb()
Date: Fri, 17 Jul 2026 07:02:21 -0400 [thread overview]
Message-ID: <20260717110219.2392132-3-eeodqql09@gmail.com> (raw)
In-Reply-To: <7bd71d11-d6f2-473d-b5ae-f5fbc972ef40@oss.qualcomm.com>
From: Seungjin Bae <eeodqql09@gmail.com>
In ar5523_data_rx_cb(), the `rxlen` variable is derived from desc->len,
which is provided by the USB device.
The function checks for an upper bound (rxlen > ar->rxbufsz) and for a
zero value (!rxlen), but it fails to check for a proper lower bound
against the size of the descriptor.
If a malicious device provides an `rxlen` value that is positive
but smaller than sizeof(struct ar5523_rx_desc), the subtraction in
the call to skb_put() will result in an integer underflow.
This passes a very large unsigned value to skb_put(), which then
triggers a kernel panic upon detecting the potential buffer overflow.
Fix this by adding a check to ensure `rxlen` is at least
sizeof(struct ar5523_rx_desc) before performing the subtraction.
Additionally, `rxlen` is not cross-checked against usblen (the number
of bytes actually received). Since the frame layout is
[ar5523_chunk][802.11 payload][ar5523_rx_desc] and `usblen` covers the
whole buffer, a valid rxlen cannot exceed `usblen - sizeof(chunk)`. A
device reporting a larger `rxlen` would cause skb_put() to expose
descriptor trailer bytes or uninitialized skb tail data as 802.11
payload to ieee80211_rx_irqsafe().
Add a check to reject such frames.
Fixes: b7d572e1871df ("ar5523: Add new driver")
Suggested-by: Jeff Johnson <jeff.johnson@oss.qualcomm.com>
Signed-off-by: Seungjin Bae <eeodqql09@gmail.com>
---
v1 -> v2: cross-check rxlen against usblen to prevent overreading past the received payload
drivers/net/wireless/ath/ar5523/ar5523.c | 12 ++++++++++++
1 file changed, 12 insertions(+)
diff --git a/drivers/net/wireless/ath/ar5523/ar5523.c b/drivers/net/wireless/ath/ar5523/ar5523.c
index 66ac396858a5..3ee4b020f416 100644
--- a/drivers/net/wireless/ath/ar5523/ar5523.c
+++ b/drivers/net/wireless/ath/ar5523/ar5523.c
@@ -589,6 +589,18 @@ static void ar5523_data_rx_cb(struct urb *urb)
goto skip;
}
+ if (rxlen < sizeof(struct ar5523_rx_desc)) {
+ ar5523_dbg(ar, "RX: Bad descriptor (len=%u is too small)\n",
+ rxlen);
+ goto skip;
+ }
+
+ if (rxlen > usblen - sizeof(struct ar5523_chunk)) {
+ ar5523_dbg(ar, "RX: rxlen too large (rxlen=%u usblen=%d)\n",
+ rxlen, usblen);
+ goto skip;
+ }
+
skb_reserve(data->skb, sizeof(*chunk));
skb_put(data->skb, rxlen - sizeof(struct ar5523_rx_desc));
--
2.43.0
prev parent reply other threads:[~2026-07-17 11:03 UTC|newest]
Thread overview: 3+ messages / expand[flat|nested] mbox.gz Atom feed top
2025-11-03 19:55 [PATCH] wifi: ar5523: fix integer underflow in ar5523_data_rx_cb() pip-izony
2026-07-16 22:15 ` Jeff Johnson
2026-07-17 11:02 ` pip-izony [this message]
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20260717110219.2392132-3-eeodqql09@gmail.com \
--to=eeodqql09@gmail.com \
--cc=Kyungtae.Kim@dartmouth.edu \
--cc=jeff.johnson@oss.qualcomm.com \
--cc=kees@kernel.org \
--cc=linux-kernel@vger.kernel.org \
--cc=linux-wireless@vger.kernel.org \
--cc=linville@tuxdriver.com \
--cc=pontus.fuchs@gmail.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox