From nobody Mon Jun 15 20:34:20 2026 Received: from mail-ed1-f50.google.com (mail-ed1-f50.google.com [209.85.208.50]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id A97323101A7 for ; Mon, 13 Apr 2026 20:29:53 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=209.85.208.50 ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1776112194; cv=none; b=MRWsa874hMattsQpQYl8Xdc6dk3b4V6a1Ayh86JelddA9YyBsl8UD/owGIgvBWTYxmpl9Qs1/YygQ22obWbsxc7J5UI73tQDtCforzBDVP4M7PZO1tu09MQ2EMncCAZ6gCEvGPo6CJ1YFkveNub1pExPARVNlmFB3CiRc4ENM/s= ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1776112194; c=relaxed/simple; bh=JPVaL4c5/9h9h4/5l7XJiy0RobptP8/C1TcDRP2ZUOI=; h=From:To:Cc:Subject:Date:Message-ID:MIME-Version; b=SbJtXJ6FJBrGYTv8xBgPOxqffX8QbhLWO61RkXNzjRBc1C8CKNzU8WQSFnSB4K6uYklK6xaejDXqDyindNXaUJ4j/By0Yh5USgL5gRAs1CMO1/LCc2ypDoR7bxs4RMY+1IUWGTye0zIz8JoFqSGoykqY+SZH2LZ5FR4p67yRQIg= ARC-Authentication-Results: i=1; smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=gmail.com; spf=pass smtp.mailfrom=gmail.com; dkim=pass (2048-bit key) header.d=gmail.com header.i=@gmail.com header.b=pPgkWkUK; arc=none smtp.client-ip=209.85.208.50 Authentication-Results: smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=gmail.com Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=gmail.com Authentication-Results: smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=gmail.com header.i=@gmail.com header.b="pPgkWkUK" Received: by mail-ed1-f50.google.com with SMTP id 4fb4d7f45d1cf-66e129e457dso4911362a12.1 for ; Mon, 13 Apr 2026 13:29:53 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20251104; t=1776112192; x=1776716992; darn=vger.kernel.org; h=content-transfer-encoding:mime-version:message-id:date:subject:cc :to:from:from:to:cc:subject:date:message-id:reply-to; bh=J76QkE9NJQFuHh61XUi+3w9vtC/liTP6j3ZjmrLLecE=; b=pPgkWkUKTz7pz2laU9xQ7roHBEMAVFy/2ceHimJEcPBjQ/4BtSVvA5WzwEeCSVQ16O ZHd+SDShIe1CHHdI4v109c+i9hIKO3Ih9Xwjkvh9jXc0IgJtfcNcwXiME8W+Fp8vGgm1 YJ/Q3X5tRddk0kONObnW2Y5woWTmE6/f7gih67gw0HuGxoj2UtdBIy1Xa1orqsemY6Jc WVaQgUlJu9P//WMcaOhLkV/m7t4w6ercI4BG/fM1DClaqIbLTHyunylnPQAE+xCSOaRp 4JUhiqeCBxA5pXE82I5LCenvlnBJygd695u2Mmmz+o4TZKx+S1MFEbBj4BHuTtfRP6Gs w+VQ== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20251104; t=1776112192; x=1776716992; h=content-transfer-encoding:mime-version:message-id:date:subject:cc :to:from:x-gm-gg:x-gm-message-state:from:to:cc:subject:date :message-id:reply-to; bh=J76QkE9NJQFuHh61XUi+3w9vtC/liTP6j3ZjmrLLecE=; b=G07evqDTDJWuctWSEL7XrsPQO+naQ/qf8gncuBg4M22OCKR5NKIALnKbJ1Oza7xc5N PQ4Mx9CP7AX5jv2rvMkI3K44fDi0IhKmhXih3WFNokQ3W20ULOmszP6R227cNIb4t/pv LY6yXxZwfdpSAZsSlPUuO6UbctmS0jOveIOxtgBg10bUkvhZUxtcOCRPOupC7lUYwB4o /j2XLnHgg1yYkhANqdHJV8Zt3UAIUItS3ZZlR3Aw3kEp6tV4zXfHlSun9k7DDrF8uog5 1BlxDa70QS3M/+3MXCgVz4Z/6gi+pWRZ9+VDzBpWtQnOi8WQgBbYvDfMuwn5ZDeZepkQ Ssyw== X-Forwarded-Encrypted: i=1; AFNElJ9CUh82+/qJSbRv+TOWMLKoPcNAUTUTHzB+mImm5KUpP2tPSbkB7lhd+kXEiEnFWCZbw6KSS4JGuK6aQkE=@vger.kernel.org X-Gm-Message-State: AOJu0Ywkz9XWtquqEX/Jn2F/PGFdHQu5nRQDrk+m3CCop5WecvFnp026 Vlj90VB5mjOTXlFAtDG0sB9zuZQOLXtWjHKjv/DOmo0KIPO88LKMfGIr X-Gm-Gg: AeBDiet5h9rbGQmgmi8J2vK1wKvvHj6VgWdoWvzzUu8OglzV1EJHnVZYNoeJetztc1o ii3F9KDRCqmBXW4PSKVc5n0sgDt4XbtZHPcvtAhc5l9WHzNkN212ZldKaD1bOpPdJq5sbQ5fdZB yJw6VbxjRQi1L81wlXzV6al4vckbn27G5XbC9izePG1W44oiOwweYNnE5qxfLeemXH7PYPF9az2 03r7Hgj4xuiJ/HvfYUcKaKdHVY7WWrk3Gpq2yXIWuGmXcb7P5CvCFtwvTGGQIjY2ckFFWe+yTiS GdzxuZDOt9jmHo1XSA1WhW5Rq2KzE3X5pto6s8yY+9FdBf1G7xBu/nYGyVCh1R8rMiagx7WwyeG TyE+i9lAk6az+RWepXt+Rq/I4jVsSRkcrI/0ih/pGY1hEBlX5dwImmBLfk2lvJM0PbJSshbcFNZ ovUTEG2CY7nEb+/NGKXmee0a/arcExMH5ZhuorGHI0fCq8lIjPlYv/o6yCVRzvQ1GQfN/4zIJ37 KxM9bdhzFp7VsSn32SanFXwKcpO/l7n5F2wbGRZxMmLheLHKc6at9MVihDOxnv6WobCQrBDeDGK 6wTBgw== X-Received: by 2002:a17:907:6b8e:b0:b94:1d92:7eb with SMTP id a640c23a62f3a-b9d7279302bmr734143466b.18.1776112191780; Mon, 13 Apr 2026 13:29:51 -0700 (PDT) Received: from ahossu.residents.sin.openfiber.nl ([88.202.160.248]) by smtp.gmail.com with ESMTPSA id a640c23a62f3a-b9d6e5c582fsm353034166b.31.2026.04.13.13.29.50 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Mon, 13 Apr 2026 13:29:51 -0700 (PDT) From: Alexandru Hossu To: gregkh@linuxfoundation.org Cc: linux-staging@lists.linux.dev, linux-kernel@vger.kernel.org, dan.carpenter@linaro.org, hansg@kernel.org, stable@vger.kernel.org, Alexandru Hossu Subject: [PATCH] staging: rtl8723bs: fix heap overflow in OnAuthClient shared key path Date: Mon, 13 Apr 2026 22:28:24 +0200 Message-ID: <20260413202824.740653-1-hossu.alexandru@gmail.com> X-Mailer: git-send-email 2.53.0 Precedence: bulk X-Mailing-List: linux-kernel@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 Content-Transfer-Encoding: quoted-printable Content-Type: text/plain; charset="utf-8" rtw_get_ie() returns the raw IE length from the received frame, which can be up to 255. This length is used directly in memcpy() into chg_txt[128] with no bounds check, allowing a heap overflow of up to 127 bytes when a rogue AP sends an Auth seq=3D2 frame with a Challenge Text IE longer than 128 bytes. IEEE 802.11 mandates the Challenge Text element carries exactly 128 bytes of challenge data. Reject any element whose length field does not match sizeof(pmlmeinfo->chg_txt) (128). Fixes: 554c0a3abf21 ("staging: Add rtl8723bs sdio wifi driver") Cc: stable@vger.kernel.org Signed-off-by: Alexandru Hossu Reviewed-by: Dan Carpenter --- drivers/staging/rtl8723bs/core/rtw_mlme_ext.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/drivers/staging/rtl8723bs/core/rtw_mlme_ext.c b/drivers/stagin= g/rtl8723bs/core/rtw_mlme_ext.c index 5f00fe282d1b..90f27665667a 100644 --- a/drivers/staging/rtl8723bs/core/rtw_mlme_ext.c +++ b/drivers/staging/rtl8723bs/core/rtw_mlme_ext.c @@ -891,7 +891,7 @@ unsigned int OnAuthClient(struct adapter *padapter, uni= on recv_frame *precv_fram p =3D rtw_get_ie(pframe + WLAN_HDR_A3_LEN + _AUTH_IE_OFFSET_, WLAN_EID_= CHALLENGE, (int *)&len, pkt_len - WLAN_HDR_A3_LEN - _AUTH_IE_OFFSET_); =20 - if (!p) + if (!p || len !=3D sizeof(pmlmeinfo->chg_txt)) goto authclnt_fail; =20 memcpy(pmlmeinfo->chg_txt, p + 2, len); --=20 2.53.0