From: Seungjin Bae In ar5523_data_rx_cb(), the `rxlen` variable is derived from desc->len, which is provided by the USB device. The function checks for an upper bound (rxlen > ar->rxbufsz) and for a zero value (!rxlen), but it fails to check for a proper lower bound against the size of the descriptor. If a malicious device provides an `rxlen` value that is positive but smaller than sizeof(struct ar5523_rx_desc), the subtraction in the call to skb_put() will result in an integer underflow. This passes a very large unsigned value to skb_put(), which then triggers a kernel panic upon detecting the potential buffer overflow. Fix this by adding a check to ensure `rxlen` is at least sizeof(struct ar5523_rx_desc) before performing the substraction. Fixes: b7d572e1871df ("ar5523: Add new driver") Signed-off-by: Seungjin Bae --- drivers/net/wireless/ath/ar5523/ar5523.c | 6 ++++++ 1 file changed, 6 insertions(+) diff --git a/drivers/net/wireless/ath/ar5523/ar5523.c b/drivers/net/wireless/ath/ar5523/ar5523.c index 1230e6278f23..dfaccf241560 100644 --- a/drivers/net/wireless/ath/ar5523/ar5523.c +++ b/drivers/net/wireless/ath/ar5523/ar5523.c @@ -589,6 +589,12 @@ static void ar5523_data_rx_cb(struct urb *urb) goto skip; } + if (rxlen < sizeof(struct ar5523_rx_desc)) { + ar5523_dbg(ar, "RX: Bad descriptor (len=%d is too small)\n", + rxlen); + goto skip; + } + skb_reserve(data->skb, sizeof(*chunk)); skb_put(data->skb, rxlen - sizeof(struct ar5523_rx_desc)); -- 2.43.0