From: Tristan Madani The firmware-controlled extended_desc value is subtracted from pkt_len without bounds checking. When extended_desc exceeds pkt_len, the u32 subtraction wraps, causing either a failed allocation (DoS) or an out-of-bounds heap read via the subsequent memcpy from buffer + payload_offset. Both SDIO and USB paths are affected. Add a bounds check to reject packets where extended_desc exceeds pkt_len. Fixes: dad0d04fa7ba ("rsi: data and management rx path") Signed-off-by: Tristan Madani --- drivers/net/wireless/rsi/rsi_91x_main.c | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/drivers/net/wireless/rsi/rsi_91x_main.c b/drivers/net/wireless/rsi/rsi_91x_main.c index XXXXXXX..XXXXXXX 100644 --- a/drivers/net/wireless/rsi/rsi_91x_main.c +++ b/drivers/net/wireless/rsi/rsi_91x_main.c @@ -136,6 +136,11 @@ static struct sk_buff *rsi_prepare_skb(struct rsi_common *common, pkt_len = RSI_RCV_BUFFER_LEN * 4; } + if (extended_desc > pkt_len) { + rsi_dbg(ERR_ZONE, "%s: extended_desc %u > pkt_len %u\n", + __func__, extended_desc, pkt_len); + return NULL; + } pkt_len -= extended_desc; skb = dev_alloc_skb(pkt_len + FRAME_DESC_SZ); if (skb == NULL)