From nobody Tue Dec 2 02:52:40 2025 Received: from mail-qv1-f46.google.com (mail-qv1-f46.google.com [209.85.219.46]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id C46AC30C379 for ; Mon, 17 Nov 2025 18:10:38 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=209.85.219.46 ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1763403040; cv=none; b=mHZBrVNDkePdTsal0mml5Wgor+1XobgMw5J6ph3aHiZ6rbJ8AqSa20SPN8sMG2ImNb3j0eoQQQkxgJ1DcShWFKnOcppRsVNHoHTUp3UAE72x/aXh13L4h4/f7AkKwnpv6XaXObG5RY1GkQA5mq/GHAYVBZQHYbF1Qr6v3uUGG2Q= ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1763403040; c=relaxed/simple; bh=a9uJXhk+AJwKISsv20iyfSfymlaY41/HxcHxsS8s4Ws=; h=From:To:Cc:Subject:Date:Message-ID:In-Reply-To:References: MIME-Version; b=mr+DNlbejeXgvKerF8s9mc25Ejja1zEzPXnOVSuq0R8XP3SkHEv+ideEYr9bas2cN3Jc1SR+fAESP6N2ZjrqkWIxWyj/+o50ZIuOLZM1YocStwzvqJ/QxUDu8hyD/J+m2xaNKFv9uKs3fSLa9EpFFBe5L1uFp4nPi89yIk1dUx4= ARC-Authentication-Results: i=1; smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=gmail.com; spf=pass smtp.mailfrom=gmail.com; dkim=pass (2048-bit key) header.d=gmail.com header.i=@gmail.com header.b=YFAXISe5; arc=none smtp.client-ip=209.85.219.46 Authentication-Results: smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=gmail.com Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=gmail.com Authentication-Results: smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=gmail.com header.i=@gmail.com header.b="YFAXISe5" Received: by mail-qv1-f46.google.com with SMTP id 6a1803df08f44-8823e39c581so65098106d6.3 for ; Mon, 17 Nov 2025 10:10:38 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20230601; t=1763403037; x=1764007837; darn=vger.kernel.org; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:from:to:cc:subject:date :message-id:reply-to; bh=3WcAzmspmOGoWMLmEdWzg8Yok+8luZgzQGZNM8oLo9Q=; b=YFAXISe5Xj4CMUYeSAeJx46Lf5tvXK7h22kNoK+dxQNDSx10o0wooEP4mBrNswfCu+ 9k8DYGiGnDwO3AAO844n/lPDNHqhY2xIzqlySQ7/xUkCEHi8ffe/R7h/5EThcyv4B2c/ 5VPcmfjjI0/muJzdQnalKV86BkpSFgwVixa3lYnzIcqK13paYQieBu1vHZHUMOMUQw8Z R78B3T240qSnPmmsp/f+lGhNNOnkMpZtXoGaMGb4inFfRBlYF6mvaifoPyFErqvSFXvV sqZiz8w4VC2kHggbItw5d/SaWFZVeGGbaCsc9ayH4sxY6J5jArkZ+WdsX6tLeScodXoF Pbfw== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1763403037; x=1764007837; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:x-gm-gg:x-gm-message-state:from :to:cc:subject:date:message-id:reply-to; bh=3WcAzmspmOGoWMLmEdWzg8Yok+8luZgzQGZNM8oLo9Q=; b=ZTgQsbBQq3QO1CWgg3vlndMJQkCZ+hqKfk2/Ab/dwQazvIPbW1uDHuYwRSCuLD6NHf q1Bn7cpqfZ5Y20Kwsj01/7LpPnRRJ7uGnq9OENQyQ27IrLh0+4atlgPyAKI5LWfB+oRT t9XyKLxFy1iidQursoszNo3ceDrAT3gIJE3a80MA9sbuNdFZNGne9c8JiNMpZHOxQHM+ QvKYpPrBnYkP+9mjUtRGo2fWoAeYzerf7+Ax2RFdcCwAnw8wZfKGb7NBxUGZNh/RQEMl 7P/EdqqBWg3CnatZlW5A37eX9noRhKfKN2z1p+2FNkhn7PeoX0gv9HDd8Nuovb4vX2Dj rQQA== X-Forwarded-Encrypted: i=1; AJvYcCWI2RLu/2ym1OfZdDNgWC9Po3oWvCUF2XxxPzmo9gIlCwbIrVrIGJs4rQ0lcO3K05kom6YBsNLTgNWH26g=@vger.kernel.org X-Gm-Message-State: AOJu0YwjE2GBlgsG5WS8i5Qb8G/7EhviiujUsD4c3UaArWk/c0F7aQI/ kWkI5o1uDiUFvhRjzo7QhxMTaEBwgnZdoI9cczAfO7GPNJ/BV8wJQ0lEJHw704dILVE= X-Gm-Gg: ASbGnctMAKNNvYBluP2KJBwThHH9gT6lS9gJwOywnXJVV45jCQ7eE00gzCosutuz4Ff 783gfK3xRqpXabVq/UdvfSIEr8tgReYzf5eSba7ccBfFTnXbJ/0lWBKGydJ38nifI/FDfBk8Lgk +5qN92riV4VeeE4GwqwIWiixQ+gtMLwC9kkzYXD55y0Dw7Pkl3KaPUBsshALvJi3yBtm+CWIY58 0N8MNMlHjyeMu+DDiuGwk75IZa2hnzsY9p1rg3J11wkyfOPSVQkJVhukPL8NBT7mbAR2vVt1b9S a477HpreP1GVYMDYQjCapDpk1dtyzEw3ULNJQUYXkgwrNfRt1svyxy3g9dWYZEsVJGEBDkwjRdd AHOXqZ7HfBf2UqFeH5pC9jTVQ8/RRFa2PUrA31IIU4IYD6kmHv1XI5C/I0cJ9n3iWoutSZIGj5z vzUTU4d074kmaHPeHVPle/gqsN/ro4JWnIpMevdopFNBpcSsYi6jmUGtEysFhlrIGtPr7HDneRw p962zqZE2TSQMlgKCwFXVmi4CQhPSZMR3ZaE9aDPg== X-Google-Smtp-Source: AGHT+IEUIglhgvo/d5qFkBLi8Fgtj02uQv7ge8aCq9ESXRQHejN8JMAnKSqKiesLLWQ5jVxRlE1jhg== X-Received: by 2002:a05:6214:234d:b0:81b:23d:55a8 with SMTP id 6a1803df08f44-882927352f0mr210202906d6.59.1763403037570; Mon, 17 Nov 2025 10:10:37 -0800 (PST) Received: from seungjin-HP-ENVY-Desktop-TE02-0xxx.dartmouth.edu ([129.170.197.94]) by smtp.gmail.com with ESMTPSA id 6a1803df08f44-8828652ce08sm96795666d6.36.2025.11.17.10.10.36 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Mon, 17 Nov 2025 10:10:37 -0800 (PST) From: pip-izony To: Hin-Tak Leung Cc: Seungjin Bae , Kyungtae Kim , linux-wireless@vger.kernel.org, linux-kernel@vger.kernel.org Subject: [PATCH v2] rtl8187: Fix potential buffer underflow in rtl8187_rx_cb() Date: Mon, 17 Nov 2025 13:09:56 -0500 Message-ID: <20251117180955.1710801-2-eeodqql09@gmail.com> X-Mailer: git-send-email 2.43.0 In-Reply-To: <7012d9a3-821e-44fa-b325-9c4c37c9c26c@RTKEXHMBS03.realtek.com.tw> References: <7012d9a3-821e-44fa-b325-9c4c37c9c26c@RTKEXHMBS03.realtek.com.tw> Precedence: bulk X-Mailing-List: linux-kernel@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 Content-Transfer-Encoding: quoted-printable Content-Type: text/plain; charset="utf-8" From: Seungjin Bae The rtl8187_rx_cb() calculates the rx descriptor header address by subtracting its size from the skb tail pointer. However, it does not validate if the received packet (skb->len from urb->actual_length) is large enough to contain this header. If a truncated packet is received, this will lead to a buffer underflow, reading memory before the start of the skb data area, and causing a kernel panic. This patch adds length checks for both rtl8187 and rtl8187b descriptor headers before attempting to access them, dropping the packet cleanly if the check fails. Fixes: 6f7853f3cbe4 ("rtl8187: change rtl8187_dev.c to support RTL8187B (pa= rt 2)") Signed-off-by: Seungjin Bae --- v1 -> v2: Addressing feedback from Ping-Ke Shih .../net/wireless/realtek/rtl818x/rtl8187/dev.c | 18 ++++++++++++++---- 1 file changed, 14 insertions(+), 4 deletions(-) diff --git a/drivers/net/wireless/realtek/rtl818x/rtl8187/dev.c b/drivers/n= et/wireless/realtek/rtl818x/rtl8187/dev.c index 0c5c66401daa..4d0b408b4e33 100644 --- a/drivers/net/wireless/realtek/rtl818x/rtl8187/dev.c +++ b/drivers/net/wireless/realtek/rtl818x/rtl8187/dev.c @@ -344,8 +344,13 @@ static void rtl8187_rx_cb(struct urb *urb) } =20 if (!priv->is_rtl8187b) { - struct rtl8187_rx_hdr *hdr =3D - (typeof(hdr))(skb_tail_pointer(skb) - sizeof(*hdr)); + struct rtl8187_rx_hdr *hdr; + + if (skb->len < sizeof(struct rtl8187_rx_hdr)) { + dev_kfree_skb_irq(skb); + return; + } + hdr =3D (typeof(hdr))(skb_tail_pointer(skb) - sizeof(*hdr)); flags =3D le32_to_cpu(hdr->flags); /* As with the RTL8187B below, the AGC is used to calculate * signal strength. In this case, the scaling @@ -355,8 +360,13 @@ static void rtl8187_rx_cb(struct urb *urb) rx_status.antenna =3D (hdr->signal >> 7) & 1; rx_status.mactime =3D le64_to_cpu(hdr->mac_time); } else { - struct rtl8187b_rx_hdr *hdr =3D - (typeof(hdr))(skb_tail_pointer(skb) - sizeof(*hdr)); + struct rtl8187b_rx_hdr *hdr; + + if (skb->len < sizeof(struct rtl8187b_rx_hdr)) { + dev_kfree_skb_irq(skb); + return; + } + hdr =3D (typeof(hdr))(skb_tail_pointer(skb) - sizeof(*hdr)); /* The Realtek datasheet for the RTL8187B shows that the RX * header contains the following quantities: signal quality, * RSSI, AGC, the received power in dB, and the measured SNR. --=20 2.43.0