wifi: libertas: fix integer underflow in process_cmdrequest() - wireguard-linux

diff options

author	Amir Mohammad Jahangirzad <a.jahangirzad@gmail.com>	2026-04-18 04:12:47 +0330
committer	Johannes Berg <johannes.berg@intel.com>	2026-04-27 12:40:32 +0200
commit	3994b4afd521d60e47e012fe2ed7b606aaec370b (patch)
tree	5cd25a7990a4f3922ec022763ec993699979d9fe /include/linux/clk/ssh:/git@git.zx2c4.com
parent	wifi: b43legacy: enforce bounds check on firmware key index in RX path (diff)

wifi: libertas: fix integer underflow in process_cmdrequest()

The existing validation only checks if recvlength exceeds LBS_CMD_BUFFER_SIZE, but doesn't check the lower bound. When a USB device sends a response shorter than MESSAGE_HEADER_LEN, the subtraction (recvlength - MESSAGE_HEADER_LEN) wraps to a huge value, causing memcpy to corrupt the heap. Add the same lower bound check that libertas_tf already has. Signed-off-by: Amir Mohammad Jahangirzad <a.jahangirzad@gmail.com> Link: https://patch.msgid.link/20260418004247.368944-1-a.jahangirzad@gmail.com Signed-off-by: Johannes Berg <johannes.berg@intel.com>

Diffstat (limited to 'include/linux/clk/ssh:/git@git.zx2c4.com')

0 files changed, 0 insertions, 0 deletions


context:
space:
mode: