The firmware-controlled bssdescriptsize field in lbs_ret_scan() is used
to compute the TSF descriptor position without validation against the
response buffer size. An inflated value causes out-of-bounds reads from
the 2312-byte response buffer into adjacent struct lbs_private members.

Add a check using size_add() that bssdescriptsize plus the response
header size does not exceed the total response size, avoiding integer
wrapping on 32-bit platforms.

Fixes: ff9fc791940f ("libertas: first stab at cfg80211 support")
Signed-off-by: Tristan Madani <tristan@talencesecurity.com>
---
 drivers/net/wireless/marvell/libertas/cfg.c | 5 +++--
 1 file changed, 3 insertions(+), 2 deletions(-)

diff --git a/drivers/net/wireless/marvell/libertas/cfg.c b/drivers/net/wireless/marvell/libertas/cfg.c
index 41dee6e0ca9fa..8015adf37c4b0 100644
--- a/drivers/net/wireless/marvell/libertas/cfg.c
+++ b/drivers/net/wireless/marvell/libertas/cfg.c
@@ -13,6 +13,7 @@
 #include <linux/sched.h>
 #include <linux/wait.h>
 #include <linux/slab.h>
+#include <linux/overflow.h>
 #include <linux/ieee80211.h>
 #include <net/cfg80211.h>
 #include <linux/unaligned.h>
@@ -554,8 +555,8 @@ static int lbs_ret_scan(struct lbs_private *priv, unsigned long dummy,
 
 	bsssize = get_unaligned_le16(&scanresp->bssdescriptsize);
 
-	if (bsssize > le16_to_cpu(resp->size) -
-	    sizeof(struct cmd_ds_802_11_scan_rsp)) {
+	if (size_add(bsssize, sizeof(struct cmd_ds_802_11_scan_rsp)) >
+	    le16_to_cpu(resp->size)) {
 		lbs_deb_scan(
 			"scan response: bssdescriptsize %d exceeds response\n",
 			bsssize);
-- 
2.47.3