From: Tristan Madani The firmware-controlled pkt_len, tp_len, and pkt_offset fields from RX frame headers are used without validation against the buffer size. This allows a malicious or malfunctioning firmware to cause out-of-bounds reads from the RX buffer via wilc_frmw_to_host() and wilc_wfi_mgmt_rx() memcpy operations. Add bounds checks to ensure tp_len does not exceed remaining buffer space, and pkt_len + pkt_offset fits within tp_len. Fixes: c5c77ba18ea6 ("staging: wilc1000: Add SDIO/SPI 802.11 driver") Signed-off-by: Tristan Madani --- Changes in v3: - Regenerated from wireless-next with proper git format-patch to produce valid index hashes (v2 had post-processed index lines). Changes in v2: - No code changes from v1. drivers/net/wireless/microchip/wilc1000/wlan.c | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/drivers/net/wireless/microchip/wilc1000/wlan.c b/drivers/net/wireless/microchip/wilc1000/wlan.c index 3fa8592eb2503..18024287f56a6 100644 --- a/drivers/net/wireless/microchip/wilc1000/wlan.c +++ b/drivers/net/wireless/microchip/wilc1000/wlan.c @@ -1123,6 +1123,11 @@ static void wilc_wlan_handle_rx_buff(struct wilc *wilc, u8 *buffer, int size) if (pkt_len == 0 || tp_len == 0) break; + if (tp_len > size - offset || pkt_len > tp_len) { + dev_err(wilc->dev, "invalid RX header: tp=%u pkt=%u remain=%d\n", + tp_len, pkt_len, size - offset); + break; + } if (pkt_offset & IS_MANAGMEMENT) { buff_ptr += HOST_HDR_OFFSET; wilc_wfi_mgmt_rx(wilc, buff_ptr, pkt_len, -- 2.47.3