wifi: libertas: fix integer underflow in process_cmdrequest()

The existing validation only checks if recvlength exceeds
LBS_CMD_BUFFER_SIZE, but doesn't check the lower bound. When a
USB device sends a response shorter than MESSAGE_HEADER_LEN, the
subtraction (recvlength - MESSAGE_HEADER_LEN) wraps to a huge
value, causing memcpy to corrupt the heap.
Add the same lower bound check that libertas_tf already has.

Signed-off-by: Amir Mohammad Jahangirzad <a.jahangirzad@gmail.com>
Link: https://patch.msgid.link/20260418004247.368944-1-a.jahangirzad@gmail.com
Signed-off-by: Johannes Berg <johannes.berg@intel.com>

diff --git a/drivers/net/wireless/marvell/libertas/if_usb.c b/drivers/net/wireless/marvell/libertas/if_usb.c
index 4fae0e335136611548738887766aa8463b82ab24..a00d53350fa97148bee9935f82664a00c99aff26 100644 (file)
--- a/drivers/net/wireless/marvell/libertas/if_usb.c
+++ b/drivers/net/wireless/marvell/libertas/if_usb.c
@@ -633,9 +633,10 @@ static inline void process_cmdrequest(int recvlength, uint8_t *recvbuff,
        unsigned long flags;
        u8 i;
 
-       if (recvlength > LBS_CMD_BUFFER_SIZE) {
+       if (recvlength < MESSAGE_HEADER_LEN ||
+           recvlength > LBS_CMD_BUFFER_SIZE) {
                lbs_deb_usbd(&cardp->udev->dev,
-                            "The receive buffer is too large\n");
+                            "The receive buffer is invalid: %d\n", recvlength);
                kfree_skb(skb);
                return;
        }