Index: sys/dev/usb/wlan/if_uath.c
===================================================================
--- sys/dev/usb/wlan/if_uath.c
+++ sys/dev/usb/wlan/if_uath.c
@@ -2211,7 +2211,7 @@
 	/* NB: msgid is passed thru w/o byte swapping */
 #ifdef UATH_DEBUG
 	if (sc->sc_debug & UATH_DEBUG_CMDS) {
-		int len = be32toh(hdr->len);
+		uint32_t len = be32toh(hdr->len);
 		printf("%s: %s [ix %u] len %u status %u\n",
 		    __func__, uath_codename(be32toh(hdr->code)),
 		    hdr->msgid, len, be32toh(hdr->magic));
@@ -2497,8 +2497,19 @@
 		UATH_STAT_INC(sc, st_multichunk);
 
 	chunklen = be16toh(chunk->length);
-	if (chunk->flags & UATH_CFLAGS_FINAL)
+	if (chunk->flags & UATH_CFLAGS_FINAL) {
+		if (chunklen < sizeof(struct uath_rx_desc)) {
+			device_printf(sc->sc_dev,
+			    "%s: invalid chunk length %d\n",
+			    __func__, chunklen);
+			counter_u64_add(ic->ic_ierrors, 1);
+			if (sc->sc_intrx_head != NULL)
+				m_freem(sc->sc_intrx_head);
+			UATH_RESET_INTRX(sc);
+			return (NULL);
+		}
 		chunklen -= sizeof(struct uath_rx_desc);
+	}
 
 	if (chunklen > 0 &&
 	    (!(chunk->flags & UATH_CFLAGS_FINAL) || !(chunk->seqnum == 0))) {