From: Tristan Madani <tristan@talencesecurity.com>

The firmware-controlled pkt_len, tp_len, and pkt_offset fields from RX
frame headers are used without validation against the buffer size. This
allows a malicious or malfunctioning firmware to cause out-of-bounds
reads from the RX buffer via wilc_frmw_to_host() and
wilc_wfi_mgmt_rx() memcpy operations.

Add bounds checks to ensure tp_len does not exceed remaining buffer
space, and pkt_len + pkt_offset fits within tp_len.

Fixes: c5c77ba18ea6 ("staging: wilc1000: Add SDIO/SPI 802.11 driver")
Signed-off-by: Tristan Madani <tristan@talencesecurity.com>
---
drivers/net/wireless/microchip/wilc1000/wlan.c | 6 ++++++
 1 file changed, 6 insertions(+)

diff --git a/drivers/net/wireless/microchip/wilc1000/wlan.c b/drivers/net/wireless/microchip/wilc1000/wlan.c
index XXXXXXX..XXXXXXX 100644
--- a/drivers/net/wireless/microchip/wilc1000/wlan.c
+++ b/drivers/net/wireless/microchip/wilc1000/wlan.c
@@ -1122,6 +1122,12 @@ static void wilc_wlan_handle_rx_buff(struct wilc *wilc, u8 *buffer, int size)
 		if (pkt_len == 0 || tp_len == 0)
 			break;

+		if (tp_len > size - offset || pkt_len > tp_len) {
+			dev_err(wilc->dev, "invalid RX header: tp=%u pkt=%u remain=%d\n",
+				tp_len, pkt_len, size - offset);
+			break;
+		}
 		if (pkt_offset & IS_MANAGMEMENT) {
 			buff_ptr += HOST_HDR_OFFSET;
 			wilc_wfi_mgmt_rx(wilc, buff_ptr, pkt_len,