CVE-2023-54300

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> wifi: ath9k: avoid referencing uninit memory in ath9k_wmi_ctrl_rx<br /> <br /> For the reasons also described in commit b383e8abed41 ("wifi: ath9k: avoid<br /> uninit memory read in ath9k_htc_rx_msg()"), ath9k_htc_rx_msg() should<br /> validate pkt_len before accessing the SKB.<br /> <br /> For example, the obtained SKB may have been badly constructed with<br /> pkt_len = 8. In this case, the SKB can only contain a valid htc_frame_hdr<br /> but after being processed in ath9k_htc_rx_msg() and passed to<br /> ath9k_wmi_ctrl_rx() endpoint RX handler, it is expected to have a WMI<br /> command header which should be located inside its data payload.<br /> <br /> Implement sanity checking inside ath9k_wmi_ctrl_rx(). Otherwise, uninit<br /> memory can be referenced.<br /> <br /> Tested on Qualcomm Atheros Communications AR9271 802.11n .<br /> <br /> Found by Linux Verification Center (linuxtesting.org) with Syzkaller.