diff options
| author | Seungjin Bae <eeodqql09@gmail.com> | 2025-11-17 20:32:59 -0500 |
|---|---|---|
| committer | Greg Kroah-Hartman <gregkh@linuxfoundation.org> | 2026-01-11 15:21:28 +0100 |
| commit | dc153401fb26c1640a2b279c47b65e1c416af276 (patch) | |
| tree | 590a7175af4b1fbd6f024fb313454534268db1c9 /security/integrity | |
| parent | 06a5e91764ed8ce85ee211cf7b07248c9fd2aec1 (diff) | |
| download | linux-dc153401fb26c1640a2b279c47b65e1c416af276.tar.gz linux-dc153401fb26c1640a2b279c47b65e1c416af276.tar.bz2 linux-dc153401fb26c1640a2b279c47b65e1c416af276.zip | |
wifi: rtl818x: rtl8187: Fix potential buffer underflow in rtl8187_rx_cb()
[ Upstream commit b647d2574e4583c2e3b0ab35568f60c88e910840 ]
The rtl8187_rx_cb() calculates the rx descriptor header address
by subtracting its size from the skb tail pointer.
However, it does not validate if the received packet
(skb->len from urb->actual_length) is large enough to contain this
header.
If a truncated packet is received, this will lead to a buffer
underflow, reading memory before the start of the skb data area,
and causing a kernel panic.
Add length checks for both rtl8187 and rtl8187b descriptor headers
before attempting to access them, dropping the packet cleanly if the
check fails.
Fixes: 6f7853f3cbe4 ("rtl8187: change rtl8187_dev.c to support RTL8187B (part 2)")
Signed-off-by: Seungjin Bae <eeodqql09@gmail.com>
Signed-off-by: Ping-Ke Shih <pkshih@realtek.com>
Link: https://patch.msgid.link/20251118013258.1789949-2-eeodqql09@gmail.com
Signed-off-by: Sasha Levin <sashal@kernel.org>
Diffstat (limited to 'security/integrity')
0 files changed, 0 insertions, 0 deletions