Dear MARVELL Developers, We are curious whether the function `mwifiex_11h_handle_chanrpt_ready()` might have an underflow. The function is https://elixir.bootlin.com/linux/v6.8/source/drivers/net/wireless/marvell/mwifiex/11h.c#L193 and the relevant code is ``` int mwifiex_11h_handle_chanrpt_ready(struct mwifiex_private *priv, struct sk_buff *skb) { struct host_cmd_ds_chan_rpt_event *rpt_event; struct mwifiex_ie_types_chan_rpt_data *rpt; u16 event_len, tlv_len; rpt_event = (void *)(skb->data + sizeof(u32)); event_len = skb->len - (sizeof(struct host_cmd_ds_chan_rpt_event)+ sizeof(u32)); ... while (event_len >= sizeof(struct mwifiex_ie_types_header)) { rpt = (void *)&rpt_event->tlvbuf; tlv_len = le16_to_cpu(rpt->header.len); switch (le16_to_cpu(rpt->header.type)) { case TLV_TYPE_CHANRPT_11H_BASIC: if (rpt->map.radar) { mwifiex_dbg(priv->adapter, MSG, "RADAR Detected on channel %d!\n", priv->dfs_chandef.chan->hw_value); cancel_delayed_work_sync(&priv->dfs_cac_work); cfg80211_cac_event(priv->netdev, &priv->dfs_chandef, NL80211_RADAR_DETECTED, GFP_KERNEL); } break; default: break; } event_len -= (tlv_len + sizeof(rpt->header)); } return 0; } ``` Here if the `tlv_len + sizeof(rpt->header)` is greater than `event_len`, then `event_len` will underflow since they are both unsigned integers. We are curious whether `event_len` is guaranteed to be greater than or equal to `tlv_len + sizeof(rpt->header)` in each iteration since we found that `sizeof(struct mwifiex_ie_types_header) == sizeof(rpt->header)`. Please kindly correct us if we missed any key information. Looking forward to your response! Best, Chenyuan
