From nobody Tue Jun 16 03:46:36 2026 Received: from mail-wm1-f54.google.com (mail-wm1-f54.google.com [209.85.128.54]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id C513A390CBE for ; Wed, 15 Apr 2026 22:23:22 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=209.85.128.54 ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1776291806; cv=none; b=N1csAjOm4cyqepHBfNrdBwqU7Z15TQ4tZOrVKiCTxFDDT8g8oyRSr4cmrqhM4irfi32578DBtmHVVpK8oWdDXQqZ9q9A8QNXrJ00LeeHaZcxUwn/B/nU1hA0KM4EPIyk5Dx8Z3nRXBA+5QzFiWW7xdQBKXtu5UUsRyVfqOvzY64= ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1776291806; c=relaxed/simple; bh=tGljGO9tzKW8lni6xeMPD7R0c/Mxcc3qq+fWX9qFIS0=; h=From:To:Cc:Subject:Date:Message-ID:In-Reply-To:References: MIME-Version; b=ROo/v+Ra76SD3kcpoYMRBaRIQSQvmCU9ZVjiCE8+P/0ZAnKtw+ZjaITc0PA/5qG1Zr42wWNpfNVDdsGFVubQ8aFm6hioByXaL1lMx07ibVkIzUWbRYAG0e7A0JZOQ3qfHymMrOfEF3qywdks+WjEIV13KejeYbcW3xJsMhpmz5o= ARC-Authentication-Results: i=1; smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=gmail.com; spf=pass smtp.mailfrom=gmail.com; dkim=pass (2048-bit key) header.d=gmail.com header.i=@gmail.com header.b=mcnkJsOv; arc=none smtp.client-ip=209.85.128.54 Authentication-Results: smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=gmail.com Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=gmail.com Authentication-Results: smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=gmail.com header.i=@gmail.com header.b="mcnkJsOv" Received: by mail-wm1-f54.google.com with SMTP id 5b1f17b1804b1-488971db0fdso72521715e9.0 for ; Wed, 15 Apr 2026 15:23:22 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20251104; t=1776291801; x=1776896601; darn=vger.kernel.org; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:from:to:cc:subject:date :message-id:reply-to; bh=fPRO7u5vAVBFmWntFw1KXmo+AzHAOpXCPHhKh6Z1jzs=; b=mcnkJsOvD46gyQNcdfpupUrGFqSdR3m4Q+FDSEdnUfHHyqX/7AYQ6FcHkXQVoTrslC jvbFeqoVq1rTYaZdwgstdMq7Sq931OHhTRNg9Az5Vl5ztXVVZb8/EvTptTy2XPps9mgJ 5HZR4qO/bMZvjUTWrey/JoVvhhsvqZcUOIEDhI+oB96d28g0FUEAxyH7kH6Iy0BDstZ1 tv78sRzE+zIaxmo3aXbR9/yTZdaRtjHoisCvxgim/rTK9gePOGWYJM8RppE3gePYXIn7 e3uy6b4q/kNE135wbw3Iv+qou4vPiN0Qb21gS6Xn5uuV4wV8nO/OcmCqJkODyQN6FsuM 1XTA== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20251104; t=1776291801; x=1776896601; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:x-gm-gg:x-gm-message-state:from :to:cc:subject:date:message-id:reply-to; bh=fPRO7u5vAVBFmWntFw1KXmo+AzHAOpXCPHhKh6Z1jzs=; b=ZtBicFDVBk6IjS4Z+oJBFFhHTxZAU3P/nEeiqE5IWGRvGGURpBEdZxsi/YNkcoM3MR 8/Gu7QQI4lnPlb9NQFp2ZOWwUfxiF63SxkWdH94qWCEbt2yAjPu59sU2CxtKlWdErdR4 3SKW4BVQSinHT+jKp2vQgiOUMVAD9s8lAFgWcNoFkQyiY8Ptq12M4vyosVpBHUlI1zxE 11RFHZ1Y3qcH2tZEK0l7r+ccNDECMmEjvhp0Iv4HXL5JgN/nhAfwhSzHrr3mb4b2qdeq e+XROEqcg4JCdEqolHLNXrfUNuZy1kRZjfNKAH9D3SqrQUnzDgrfvJH+1Hbf4RrJOWhu ieNw== X-Forwarded-Encrypted: i=1; AFNElJ+TY07/8mHIp+kYzPVlmOuQ7ROzGztts0uOlkKjrCBD+U7doehe8rf8DMACzJq2+bQIC+P1bcbVPuE2Mic=@vger.kernel.org X-Gm-Message-State: AOJu0YxjOd52o4nS6WIJW+8mxsZLQ4WXyC6F62beXnBLtVQnBM7QDjXv z5vdK3ttDvGP/6B12v0lb+W01eLYRJFMx0NCsQm3NuePI6Odn1mgnNo= X-Gm-Gg: AeBDiet7zOJV4S4v20bAcyFH5426b4b8BCBHbldJg33bDjMYYqL2usob/GkMDmrPsl1 hmwVXEKUZyTteW8udzvTlAglL6e+d64R5SLtN+vpMNqwfpXHN3MLsiaJQ+NawBysz8n3KND1P1s O46i5FrqzPbtmUzv9nIkMXfX0IBClSQzL1aP0ZASlGCS0ZuBHiS5PCZJtfZDnmw8Y3p6rOQuy07 FW1l8lvbeMosTDwOrEG+EHuI6Nt2Om8oyjLsXxi8JtJTbSeqGpYLUrGul2uN0KTHpzuSbNIgbI4 ehMiV3B60d8+JkI8LgTpX+44ODomBJpXaA8DjUcqceMcK6uSCKCbyuBTZNCwYGyFH5iHsy3C/HA vlu2LHUBD9QbDr1WxhmO76vFvUXxSQaErAWBlApxgJgmdTyEKnKaQRSP/COw9Y6XvmtcEl/yIdZ 7Lm2U= X-Received: by 2002:a05:600c:5d4:b0:488:d6eb:e63c with SMTP id 5b1f17b1804b1-488d6ebe787mr192488315e9.15.1776291801139; Wed, 15 Apr 2026 15:23:21 -0700 (PDT) Received: from debian.. ([2001:41d0:303:db6b::]) by smtp.gmail.com with ESMTPSA id 5b1f17b1804b1-488f0e9a742sm28702585e9.14.2026.04.15.15.23.20 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Wed, 15 Apr 2026 15:23:20 -0700 (PDT) From: Tristan Madani To: Christian Lamparter Cc: Johannes Berg , linux-wireless@vger.kernel.org, linux-kernel@vger.kernel.org Subject: [PATCH v2 1/3] wifi: carl9170: bound memcpy length in cmd callback to prevent OOB read Date: Wed, 15 Apr 2026 22:23:17 +0000 Message-ID: <20260415222319.1538389-2-tristmd@gmail.com> X-Mailer: git-send-email 2.47.3 In-Reply-To: <20260415222319.1538389-1-tristmd@gmail.com> References: <20260415222319.1538389-1-tristmd@gmail.com> Precedence: bulk X-Mailing-List: linux-kernel@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 Content-Transfer-Encoding: quoted-printable Content-Type: text/plain; charset="utf-8" From: Tristan Madani When the firmware sends a command response with a length mismatch, carl9170_cmd_callback() logs the mismatch and calls carl9170_restart() but then falls through to memcpy(ar->readbuf, buffer + 4, len - 4). Since len comes from the firmware and can exceed ar->readlen, this copies more data than the readbuf was allocated for. Bound the memcpy to min(len - 4, ar->readlen) so that the response is still completed -- avoiding repeated restarts from queued garbage -- while preventing an overread past the response buffer. Fixes: a84fab3cbfdc ("carl9170: 802.11 rx/tx processing and usb backend") Signed-off-by: Tristan Madani --- Changes in v2: - v2: bound memcpy with min_t() instead of adding early return after carl9170_restart(), per Christian Lamparter's feedback. The restart path must handle queued responses gracefully. drivers/net/wireless/ath/carl9170/rx.c | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/drivers/net/wireless/ath/carl9170/rx.c b/drivers/net/wireless/= ath/carl9170/rx.c index XXXXXXX..XXXXXXX 100644 --- a/drivers/net/wireless/ath/carl9170/rx.c +++ b/drivers/net/wireless/ath/carl9170/rx.c @@ -151,7 +151,8 @@ static void carl9170_cmd_callback(struct ar9170 *ar, u3= 2 len, void *buffer) spin_lock(&ar->cmd_lock); if (ar->readbuf) { if (len >=3D 4) - memcpy(ar->readbuf, buffer + 4, len - 4); + memcpy(ar->readbuf, buffer + 4, + min_t(u32, len - 4, ar->readlen)); ar->readbuf =3D NULL; } -- 2.43.0 From nobody Tue Jun 16 03:46:36 2026 Received: from mail-wm1-f50.google.com (mail-wm1-f50.google.com [209.85.128.50]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id 9EA893876B8 for ; Wed, 15 Apr 2026 22:23:23 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=209.85.128.50 ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1776291811; cv=none; b=U4CVoyPIGapbY3h8oK4mFzwelyaVQE0pPzPsZ6QiPwS+d4zr8nft0TJxxYBsMBBSd7smkTFPEgvJjEWB1HMfUFljsSWRvPExSJaJe4hCsUVrBNMyIF0oVMx4G+9DSfiBpQ6PeCQwesU5uWJXBnbbhMxJuW8yaHMOPOdoR169aWc= ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1776291811; c=relaxed/simple; bh=0U/bcsQpieIf1bqTC2ixQ525IqpXMLQqveQUbJkCJe8=; h=From:To:Cc:Subject:Date:Message-ID:In-Reply-To:References: MIME-Version; b=iMkBD4o078f69FqhEaBHofd7jEpe8Cf3RmUDGM9PXxKr2TU0akpUVEDRS0pD9/aelmicUxnuCExMVMbwUnWGMajqDvNNFj/oAjo1KyoN7KLHc6wFds1KxuwaAbN1DV6krPrfHjKZa9gJ6Cng71IXA77W2DL3wQCnTObDOxYo1Ds= ARC-Authentication-Results: i=1; smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=gmail.com; spf=pass smtp.mailfrom=gmail.com; dkim=pass (2048-bit key) header.d=gmail.com header.i=@gmail.com header.b=h8u/TRds; arc=none smtp.client-ip=209.85.128.50 Authentication-Results: smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=gmail.com Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=gmail.com Authentication-Results: smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=gmail.com header.i=@gmail.com header.b="h8u/TRds" Received: by mail-wm1-f50.google.com with SMTP id 5b1f17b1804b1-488a9033b2cso88702545e9.2 for ; Wed, 15 Apr 2026 15:23:23 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20251104; t=1776291802; x=1776896602; darn=vger.kernel.org; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:from:to:cc:subject:date :message-id:reply-to; bh=pJZr+//quW+MQVyUFXI1nceGLIm8xDCx/CEd5g1IcZI=; b=h8u/TRdsgDoQs1LpwJdMN1k29LP/17qHsZt7OTTcMMQ0x8pF8rc0A/axyon4khbSzd xE4PJNO52zNWiWiy43CiDpbTIgvZiqWk/5PA6B30aQzoi6S3QGVadMgl1e17kogErcpB VNE9qBxmZ6Ownl7UkWCmYa3EeBwdJM9OHfbehM/LFmhAM9mYn/zsprh8Z+8NQf4cVd5c V7IcIQuu6VGMg5dmxIuNvu5ni0vsZUGEHqTSWTG8gn/KLk5+mDCaWBNJ7c0hx4r65YGd Lft6yaqhMKUUz1Q6zpRpbDj0y0FfvS2RzQbfIfcBXBcw3JAYiAtqXVDKgOXPWdKNM7+j egVQ== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20251104; t=1776291802; x=1776896602; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:x-gm-gg:x-gm-message-state:from :to:cc:subject:date:message-id:reply-to; bh=pJZr+//quW+MQVyUFXI1nceGLIm8xDCx/CEd5g1IcZI=; b=UKbEX+xhp6ajHTSixKu3hxtXSt3Q/70nVtfD2xJIQgOpzSextdnwaf2cA1mUGhuQWl 6xvjBGJqU5uGyF8bvwyGYBcHfe6JZlPbeDvJBuk70YUVNfqZ3sP8RzlSmeqrAYCIUZSO dceUA7TxwQWlbttnMQXBo01dFJDgfnM4Pk7CT9NFJ0inbz5s4JRmPL0I9np0OVPN45Ti D/qNiVXaha2Vg63jUZHhcyy1+KvgIK8cXsDf3nZJQd8BJ/TGzNxAZIq9joj8gg1LqwoM DvKGbeUpjhuMPl1KhiPaW8U3aFpmpiAZv/CX86+b9JMaBdARyErv+Sw/jNrqjlg/uPJp ty2Q== X-Forwarded-Encrypted: i=1; AFNElJ/C8TBAI4IPvc9+58VoLlD4Lskev+WGL28Az5EglNYMPd51l6IZ2SEMLMefkBTToec0krKvNTuio6anbLE=@vger.kernel.org X-Gm-Message-State: AOJu0YwrCWvVvOe7wy79fsEStskyKP2+skNE0b2Mz0GLC2nTBftKn5TB psd1pxo/xfh3m1XDKGcWndg/2dUtib4tFsRFCjAVV0O/w+nbg6tMHGM= X-Gm-Gg: AeBDietgckhrKb16yTb9H7/hdkxhRJPVAD1I5FNLbzkCk1jFmDiLkapIiSkTsU6Gl90 Wv/TryMqZz2Uil4yBObXinyQWTskzAyfAksyRl9kNC9SlPu/GcEVHWaPbgPTOBpuQfSAnaEn9/i lePfpDemfkMJE5IiaDJkCeGWjFC7w4Pae5Jj0AdebXO0S1LEMbOAEi8svprxfALVSmo9TWK+to9 0WW+P0XmeoJDx7ncfndIeBGh4Z9vjm2vDljGFokXi5FPuCPAbsezQHavq7Lb0EQEkrLRTJIlu9O Dvkmav8rvRUGb2eXlpS0TaWXVzJ1pw9PQa8WNl0/TQLYQk6jZ10TX3RAjvqMr284H5HLDMY6WPo M/ALosC7T3yU7c338cCIhVjTr3cxNNoyd8gzwPc+Hojuq1ZV9mTgc3eFVGlU45PAlnDq4veqKGo IKldc= X-Received: by 2002:a05:600c:8207:b0:488:a4d6:69ad with SMTP id 5b1f17b1804b1-488d688dd1bmr317940585e9.27.1776291801962; Wed, 15 Apr 2026 15:23:21 -0700 (PDT) Received: from debian.. ([2001:41d0:303:db6b::]) by smtp.gmail.com with ESMTPSA id 5b1f17b1804b1-488f0e9a742sm28702585e9.14.2026.04.15.15.23.21 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Wed, 15 Apr 2026 15:23:21 -0700 (PDT) From: Tristan Madani To: Christian Lamparter Cc: Johannes Berg , linux-wireless@vger.kernel.org, linux-kernel@vger.kernel.org Subject: [PATCH v2 2/3] wifi: carl9170: fix OOB read from off-by-two in TX status handler Date: Wed, 15 Apr 2026 22:23:18 +0000 Message-ID: <20260415222319.1538389-3-tristmd@gmail.com> X-Mailer: git-send-email 2.47.3 In-Reply-To: <20260415222319.1538389-1-tristmd@gmail.com> References: <20260415222319.1538389-1-tristmd@gmail.com> Precedence: bulk X-Mailing-List: linux-kernel@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 Content-Transfer-Encoding: quoted-printable Content-Type: text/plain; charset="utf-8" From: Tristan Madani The bounds check in carl9170_tx_process_status() uses `i > ((cmd->hdr.len / 2) + 1)` which is off by two, allowing 2 extra iterations past valid _tx_status entries when the firmware- controlled hdr.ext exceeds hdr.len/2. Fix by using the correct comparison `i >=3D (cmd->hdr.len / 2)`. Fixes: a84fab3cbfdc ("carl9170: 802.11 rx/tx processing and usb backend") Signed-off-by: Tristan Madani --- drivers/net/wireless/ath/carl9170/tx.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/drivers/net/wireless/ath/carl9170/tx.c b/drivers/net/wireless/= ath/carl9170/tx.c index XXXXXXX..XXXXXXX 100644 --- a/drivers/net/wireless/ath/carl9170/tx.c +++ b/drivers/net/wireless/ath/carl9170/tx.c @@ -695,7 +695,7 @@ static void carl9170_tx_process_status(struct ar9170 *a= r, unsigned int i; for (i =3D 0; i < cmd->hdr.ext; i++) { - if (WARN_ON(i > ((cmd->hdr.len / 2) + 1))) { + if (WARN_ON(i >=3D (cmd->hdr.len / 2))) { print_hex_dump_bytes("UU:", DUMP_PREFIX_NONE, (void *) cmd, cmd->hdr.len + 4); break; From nobody Tue Jun 16 03:46:36 2026 Received: from mail-wm1-f48.google.com (mail-wm1-f48.google.com [209.85.128.48]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id 9C27F390C94 for ; Wed, 15 Apr 2026 22:23:24 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=209.85.128.48 ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1776291806; cv=none; b=g5vBE/gGP112LiQH8Ct7jOfFVM4zaEYcNZOV1Jsz4xPyeUdupXIOR4NkHbDp7f0Jf8wRK08QEursPaslXjz3ITlkVz7rJQrOEpQPm+elj7uJQdHYVunn7Z06w+5YEzFZ2Z5LnrMpHiFaTiWNqeUTCgCPapTvfV00hByQnm7Cq+k= ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1776291806; c=relaxed/simple; bh=4ow2CUbfAykWb1AUr/pjXrvkDjKzH/5bLVW7cyLSbFw=; h=From:To:Cc:Subject:Date:Message-ID:In-Reply-To:References: MIME-Version; b=NHe0F5ruVO5hPs2TFdqvJ5pp92NS+Yz6BtSFYooerZbfC3qrJOi49GyjAJJjpN5q3ZC3oJ6TDwfU4JH0MxPTohgfYTW5REmMVh5+TFxVlKUrx0Z1mtizKqiChmFV8aBu17oAq1GHmlNDb85UOSBWF6swzoThuzul0jaSrkWBj4o= ARC-Authentication-Results: i=1; smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=gmail.com; spf=pass smtp.mailfrom=gmail.com; dkim=pass (2048-bit key) header.d=gmail.com header.i=@gmail.com header.b=cXWGLxOw; arc=none smtp.client-ip=209.85.128.48 Authentication-Results: smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=gmail.com Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=gmail.com Authentication-Results: smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=gmail.com header.i=@gmail.com header.b="cXWGLxOw" Received: by mail-wm1-f48.google.com with SMTP id 5b1f17b1804b1-488971db0fdso72521885e9.0 for ; Wed, 15 Apr 2026 15:23:24 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20251104; t=1776291803; x=1776896603; darn=vger.kernel.org; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:from:to:cc:subject:date :message-id:reply-to; bh=VBHZ3elBfpoOc3dzAqhsGdJZlPJkyY7fwDZN5hydqU4=; b=cXWGLxOwKEPmoLB0NeMEUKOcWxC8ZgPe1SE8NpbxVM76TT/tih2AiJrDMWicIVhNwm VxobMvlwVY2XHQeTQMvEPGyKWw21BnCb/XcvMfIgQUx54UGA/YItibecU212aFuwSUH4 onTTV4OgtK8Yg0IWDYCSuw2Xv9XhQ0tt60kI93AQooD/1cAzSSILZi2qP1GMqlr3xz70 KjXY5NzJmN+UyqHw6nfZxOIONEoG1T/zyHL4vFfuPnM2GFnAim3Fm2BcArdmZfb2EHj5 rIfhc0PvL4yIlb9HBacoGzUapHeerISWGgWvWG0BONpzWar5Ehzh27BlQPbsF7jdh4Bg earQ== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20251104; t=1776291803; x=1776896603; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:x-gm-gg:x-gm-message-state:from :to:cc:subject:date:message-id:reply-to; bh=VBHZ3elBfpoOc3dzAqhsGdJZlPJkyY7fwDZN5hydqU4=; b=Lorv5oaiTbG42jJ5hZgDpcSE3wnj0pIn+l+JI3OqxJBrLABasXPrIpjOYcCc8350JB GACd7MuhEukayEtVifOEJCMgr34bzAucdIAT7bLIK3NNm1X4j+qyc15YSqqfrBwND6Jo 6UPd8iGPk2aNMTNOD3/QEpJW9LrUHkb2aH3X1fH5J+U0kfw5dMdvq4I+AHaRgUE56eQa fQ88i55EKTzOfAziYE3Yifiop+hQHOoKanfrLAtqMdM1pNnJp/xuUaJyVaMBoJKpakKN j9w2CUnn+VM7oEjsD2S4JB16clEbl45PuDIHcvPVwvguPhwJvBMty8i0Cd3t2aNPYePZ tWsg== X-Forwarded-Encrypted: i=1; AFNElJ8SB8WA5QUtTsp/aJyjr4GC5B+VRPYny2i4I8mJPqPfn4L2dpz13lHHB+frpQqvuK7RefMW7k8StHAFDiM=@vger.kernel.org X-Gm-Message-State: AOJu0YwVOl8rPxMSSBweFQ6Dr8Rc5mmQJqWdqEb3eGKTAee4qPnL0vQO Ar64KUqr9EiQ44N7sMwbfK0ay2HhlmvXYXEQiV3Rd7KjUiR6KQT/M38= X-Gm-Gg: AeBDiet9CuHwjB6GeQ9JieyRSlmZTJIF60iWbhc56mwUJ5ftfVZipveBMGz4s37gdHK 7AI/K7KTDjXz2FC49/pCPOilwh9ROgAOEQh64hg1Ece3+IEDJJIYCJPXQESfF7Z+Xd9q0FreDik 0w541oV4Aprh4FRELugByv5n1x9JZWbnRFT9dLnPeHMIlZjprZUUPRLHfNFNTGaeduV1M2B9XTi cjDs+s8TTcBaDB2pElyU8gaF9Og4aSLOormHRgeWPA9LlE4/eErquJzKHU7nQVpM5+DlpxA75VZ u2+fyJ/5Lf4dGab0YmB+65M1LnXP1A4KX37K7Am7C/nAyyMYTywfHg33ZpWYac+flRMxnxLFepZ 2q+ica0U7MnxJaLph5YeH9LTPRcFN29ava+wEHvkZisDLkFKGTEwI4bTS9gdoPbyt0cKQWtWFo6 RmhtQ= X-Received: by 2002:a05:600c:8b6d:b0:485:9a50:3384 with SMTP id 5b1f17b1804b1-488d688209dmr299733775e9.25.1776291802731; Wed, 15 Apr 2026 15:23:22 -0700 (PDT) Received: from debian.. ([2001:41d0:303:db6b::]) by smtp.gmail.com with ESMTPSA id 5b1f17b1804b1-488f0e9a742sm28702585e9.14.2026.04.15.15.23.22 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Wed, 15 Apr 2026 15:23:22 -0700 (PDT) From: Tristan Madani To: Christian Lamparter Cc: Johannes Berg , linux-wireless@vger.kernel.org, linux-kernel@vger.kernel.org Subject: [PATCH v2 3/3] wifi: carl9170: fix buffer overflow in rx_stream failover path Date: Wed, 15 Apr 2026 22:23:19 +0000 Message-ID: <20260415222319.1538389-4-tristmd@gmail.com> X-Mailer: git-send-email 2.47.3 In-Reply-To: <20260415222319.1538389-1-tristmd@gmail.com> References: <20260415222319.1538389-1-tristmd@gmail.com> Precedence: bulk X-Mailing-List: linux-kernel@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 Content-Transfer-Encoding: quoted-printable Content-Type: text/plain; charset="utf-8" From: Tristan Madani The failover continuation in carl9170_rx_stream() copies the full tlen from the second USB transfer instead of capping at rx_failover_missing bytes. When both transfers are near maximum size, the total exceeds the 65535-byte failover SKB, triggering skb_over_panic. Limit the copy size to the missing byte count. Fixes: a84fab3cbfdc ("carl9170: 802.11 rx/tx processing and usb backend") Signed-off-by: Tristan Madani --- drivers/net/wireless/ath/carl9170/rx.c | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/drivers/net/wireless/ath/carl9170/rx.c b/drivers/net/wireless/= ath/carl9170/rx.c index XXXXXXX..XXXXXXX 100644 --- a/drivers/net/wireless/ath/carl9170/rx.c +++ b/drivers/net/wireless/ath/carl9170/rx.c @@ -918,7 +918,9 @@ static void carl9170_rx_stream(struct ar9170 *ar, void = *buf, unsigned int len) } } - skb_put_data(ar->rx_failover, tbuf, tlen); + skb_put_data(ar->rx_failover, tbuf, + min_t(unsigned int, tlen, + ar->rx_failover_missing)); ar->rx_failover_missing -=3D tlen; if (ar->rx_failover_missing <=3D 0) {