From: HE WEI (ギカク) carl9170_cmd_callback() copies a command response coming from the USB device into ar->readbuf using the device-reported length: memcpy(ar->readbuf, buffer + 4, len - 4); ar->readbuf points at the buffer supplied by the caller of carl9170_exec_cmd(), which is frequently an on-stack buffer sized to the expected response length (ar->readlen). The preceding sanity check only emits a warning and schedules a restart when ar->readlen != len - 4; it does not stop processing, so the memcpy() still runs with the attacker-controlled length. A malicious or malfunctioning AR9170 USB device can therefore answer a pending command with an over-sized response and overflow ar->readbuf, as reported by syzbot: BUG: KASAN: stack-out-of-bounds Write in carl9170_handle_command_response The comment in that branch already documents the intended behaviour ("Do not complete. The command times out, and we get a stack trace from there."), but the return statement was missing. Return after carl9170_restart() so an over-/under-sized response is neither copied into ar->readbuf nor completed; carl9170_exec_cmd() then times out and clears readbuf in its error path. Reported-by: syzbot+5c1ca6ccaa1215781cac@syzkaller.appspotmail.com Closes: https://syzkaller.appspot.com/bug?extid=5c1ca6ccaa1215781cac Fixes: a84fab3cbfdc ("carl9170: 802.11 rx/tx processing and usb backend") Signed-off-by: HE WEI (ギカク) --- drivers/net/wireless/ath/carl9170/rx.c | 1 + 1 file changed, 1 insertion(+) diff --git a/drivers/net/wireless/ath/carl9170/rx.c b/drivers/net/wireless/ath/carl9170/rx.c --- a/drivers/net/wireless/ath/carl9170/rx.c +++ b/drivers/net/wireless/ath/carl9170/rx.c @@ -145,6 +145,7 @@ static void carl9170_cmd_callback(struct ar9170 *ar, u32 len, void *buffer) * and we get a stack trace from there. */ carl9170_restart(ar, CARL9170_RR_INVALID_RSP); + return; } spin_lock(&ar->cmd_lock); -- 2.43.0