summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
Diffstat
-rw-r--r--drivers/net/wireless/realtek/rtl8xxxu/rtl8xxxu_core.c11
1 files changed, 9 insertions, 2 deletions
diff --git a/drivers/net/wireless/realtek/rtl8xxxu/rtl8xxxu_core.c b/drivers/net/wireless/realtek/rtl8xxxu/rtl8xxxu_core.c
index 9ff09cf7eb62..ac1061caacd6 100644
--- a/drivers/net/wireless/realtek/rtl8xxxu/rtl8xxxu_core.c
+++ b/drivers/net/wireless/realtek/rtl8xxxu/rtl8xxxu_core.c
@@ -5554,6 +5554,11 @@ int rtl8xxxu_parse_rxdesc16(struct rtl8xxxu_priv *priv, struct sk_buff *skb)
urb_len = skb->len;
pkt_cnt = 0;
+ if (urb_len < sizeof(struct rtl8xxxu_rxdesc16)) {
+ kfree_skb(skb);
+ return RX_TYPE_ERROR;
+ }
+
do {
rx_desc = (struct rtl8xxxu_rxdesc16 *)skb->data;
_rx_desc_le = (__le32 *)skb->data;
@@ -5581,7 +5586,7 @@ int rtl8xxxu_parse_rxdesc16(struct rtl8xxxu_priv *priv, struct sk_buff *skb)
* at least cover the rx descriptor
*/
if (pkt_cnt > 1 &&
- urb_len > (pkt_offset + sizeof(struct rtl8xxxu_rxdesc16)))
+ urb_len >= (pkt_offset + sizeof(struct rtl8xxxu_rxdesc16)))
next_skb = skb_clone(skb, GFP_ATOMIC);
rx_status = IEEE80211_SKB_RXCB(skb);
@@ -5627,7 +5632,9 @@ int rtl8xxxu_parse_rxdesc16(struct rtl8xxxu_priv *priv, struct sk_buff *skb)
pkt_cnt--;
urb_len -= pkt_offset;
- } while (skb && urb_len > 0 && pkt_cnt > 0);
+ next_skb = NULL;
+ } while (skb && pkt_cnt > 0 &&
+ urb_len >= sizeof(struct rtl8xxxu_rxdesc16));
return RX_TYPE_DATA_PKT;
}
generated by cgit v1.2.3-70-g09d2 (git 2.48.1) at 2025-03-22 00:34:18 +0000