lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite for Android: free password hash cracker in your pocket
[<prev] [next>] [<thread-prev] [day] [month] [year] [list] 
Message-ID: <7012d9a3-821e-44fa-b325-9c4c37c9c26c@RTKEXHMBS03.realtek.com.tw>
Date: Mon, 17 Nov 2025 12:01:47 +0800
From: Ping-Ke Shih <pkshih@...ltek.com>
To: pip-izony <eeodqql09@...il.com>, Hin-Tak Leung <hintak.leung@...il.com>
CC: Seungjin Bae <eeodqql09@...il.com>,
        Kyungtae Kim
	<Kyungtae.Kim@...tmouth.edu>,
        <linux-wireless@...r.kernel.org>, <linux-kernel@...r.kernel.org>
Subject: Re: [PATCH] rtl8187: Fix potential buffer underflow in rtl8187_rx_cb()

pip-izony <eeodqql09@...il.com> wrote:

> 
> From: Seungjin Bae <eeodqql09@...il.com>
> 
> The rtl8187_rx_cb() calculates the rx descriptor header address
> by subtracting its size from the skb tail pointer.
> However, it does not validate if the received packet
> (skb->len from urb->actual_length) is large enough to contain this
> header.
> 
> If a truncated packet is received, this will lead to a buffer
> underflow, reading memory before the start of the skb data area,
> and causing a kernel panic.
> 
> This patch adds length checks for both rtl8187 and rtl8187b descriptor
> headers before attempting to access them, dropping the packet cleanly
> if the check fails.
> 
> Fixes: 6f7853f3cbe4 ("rtl8187: change rtl8187_dev.c to support RTL8187B (part 2)")
> Signed-off-by: Seungjin Bae <eeodqql09@...il.com>
> ---
> 
> diff --git a/drivers/net/wireless/realtek/rtl818x/rtl8187/dev.c b/drivers/net/wireless/realtek/rtl818x/rtl8187/dev.c
> index 0c5c66401daa..eff42acc11a0 100644
> --- a/drivers/net/wireless/realtek/rtl818x/rtl8187/dev.c
> +++ b/drivers/net/wireless/realtek/rtl818x/rtl8187/dev.c
> @@ -344,6 +344,10 @@ static void rtl8187_rx_cb(struct urb *urb)
>  	}
>  
>  	if (!priv->is_rtl8187b) {
> +		if (skb->len < sizeof(struct rtl8187_rx_hdr)) {
> +			dev_kfree_skb_irq(skb);
> +			return;
> +		}

Though compiler doesn't warn something if statements before declarations,
we still don't suggest this style.

A way is 

	struct rtl8187_rx_hdr *hdr;

	if (skb->len < sizeof(struct rtl8187_rx_hdr)) { 
		...
		return;
	}

	hdr = (typeof(hdr))(skb_tail_pointer(skb) - sizeof(*hdr));

Or, check before if branches

	(declare at top of this function)
	int skb_len_limit = !priv->is_rtl8187b ? sizeof(struct rtl8187_rx_hdr) :
						 sizeof(struct rtl8187b_rx_hdr);

	if (skb->len < skb_len_limit) {
		...
		return;
	}


>  		struct rtl8187_rx_hdr *hdr =
>  			(typeof(hdr))(skb_tail_pointer(skb) - sizeof(*hdr));
>  		flags = le32_to_cpu(hdr->flags);
> @@ -355,6 +359,10 @@ static void rtl8187_rx_cb(struct urb *urb)
>  		rx_status.antenna = (hdr->signal >> 7) & 1;
>  		rx_status.mactime = le64_to_cpu(hdr->mac_time);
>  	} else {
> +		if (skb->len < sizeof(struct rtl8187b_rx_hdr)) {
> +			dev_kfree_skb_irq(skb);
> +			return;
> +		}
>  		struct rtl8187b_rx_hdr *hdr =
>  			(typeof(hdr))(skb_tail_pointer(skb) - sizeof(*hdr));
>  		/* The Realtek datasheet for the RTL8187B shows that the RX

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ