| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <f2c4b0f5-1065-4ac1-9430-09e46b210ebc@RTKEXHMBS03.realtek.com.tw>
Date: Fri, 21 Nov 2025 11:45:12 +0800
From: Ping-Ke Shih <pkshih@...ltek.com>
To: pip-izony <eeodqql09@...il.com>, Hin-Tak Leung <hintak.leung@...il.com>
CC: Seungjin Bae <eeodqql09@...il.com>,
Kyungtae Kim
<Kyungtae.Kim@...tmouth.edu>,
<linux-wireless@...r.kernel.org>, <linux-kernel@...r.kernel.org>
Subject: Re: [PATCH v3] rtl8187: Fix potential buffer underflow in rtl8187_rx_cb()
pip-izony <eeodqql09@...il.com> wrote:
> From: Seungjin Bae <eeodqql09@...il.com>
>
> The rtl8187_rx_cb() calculates the rx descriptor header address
> by subtracting its size from the skb tail pointer.
> However, it does not validate if the received packet
> (skb->len from urb->actual_length) is large enough to contain this
> header.
>
> If a truncated packet is received, this will lead to a buffer
> underflow, reading memory before the start of the skb data area,
> and causing a kernel panic.
>
> Add length checks for both rtl8187 and rtl8187b descriptor headers
> before attempting to access them, dropping the packet cleanly if the
> check fails.
>
> Fixes: 6f7853f3cbe4 ("rtl8187: change rtl8187_dev.c to support RTL8187B (part 2)")
> Signed-off-by: Seungjin Bae <eeodqql09@...il.com>
1 patch(es) applied to rtw-next branch of rtw.git, thanks.
b647d2574e45 wifi: rtl818x: rtl8187: Fix potential buffer underflow in rtl8187_rx_cb()
---
https://github.com/pkshih/rtw.git
Powered by blists - more mailing lists