From nobody Mon Jun 15 23:20:18 2026 Received: from mail-ej1-f51.google.com (mail-ej1-f51.google.com [209.85.218.51]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id 2685440DFC3 for ; Tue, 14 Apr 2026 14:55:22 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=209.85.218.51 ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1776178523; cv=none; b=hZCp99HzMUfYduLZgJgTYHSiCMj5V15pUxF/NHDRsf5GGyJ/gtX5fiRUBSmnGDXDysXagR8om/jjfoSkVWwbmaufmo9vkIqmYJYibzOlzJWAHDnmsV6RDUdRaVCvkUGjWW/654NOj+xaSWyp0q2DUOTLCXYZexrBO4t4TW74pZc= ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1776178523; c=relaxed/simple; bh=/MwhrxoIu5RZNhD80qK+rDFnDRJTEReJvh+FoxmXEK8=; h=From:To:Cc:Subject:Date:Message-ID:In-Reply-To:References: MIME-Version; b=PmTcHmck07JdaktFZoHH/FGFoHGOlU/9YX6ENrTKG6ejwdF+1cmSJY/ObXoasTrVA8s2t6I56wa6HaMXTuibeInU07utwFZjpnZXXYn7Y0gvpA0npaSEc5B6X5IAk6IApeJM1Krdq8GcMqvmAflJqzGRaAPRPELICmIwlrRb5hs= ARC-Authentication-Results: i=1; smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=gmail.com; spf=pass smtp.mailfrom=gmail.com; dkim=pass (2048-bit key) header.d=gmail.com header.i=@gmail.com header.b=YlDEIMaY; arc=none smtp.client-ip=209.85.218.51 Authentication-Results: smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=gmail.com Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=gmail.com Authentication-Results: smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=gmail.com header.i=@gmail.com header.b="YlDEIMaY" Received: by mail-ej1-f51.google.com with SMTP id a640c23a62f3a-b8d7f22d405so883908266b.0 for ; Tue, 14 Apr 2026 07:55:21 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20251104; t=1776178520; x=1776783320; darn=vger.kernel.org; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:from:to:cc:subject:date :message-id:reply-to; bh=/AI6lzRoh3NUnk5S17bU5XB84Xw0u3q8VYePy9hi7D8=; b=YlDEIMaYrA8vSW3Z+49mCbvE0+vhGKJZ5H/h9w+MB0Kfy+UYSfpzrXtBZFESC4TeZ6 AIId99f1fBogj8bLvDeSG0xCkGB/GTWQLm8sJDOSptpvC9RTZRRGlXCAJBHLsLQClvOR RcQ0Yr8qnxuYzMkAxSU0B+rMi/Rsr8ZHoxbpLvtpehSUMiIa7XcU3fo1UhwBkQtGWum6 K5G/TOwOIkMBe0/7jg8gLEu7W3yE7g6l9m5qTKIBlS/XWefnkjkQdRjXAH0haMWZndrf JAoRCDYuit/iJZq4QJeNCF+5BM/LcSD9uKgbkOkHQ0jU6EK0Ah9qSdiEugkjvB0ekg/s /v7w== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20251104; t=1776178520; x=1776783320; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:x-gm-gg:x-gm-message-state:from :to:cc:subject:date:message-id:reply-to; bh=/AI6lzRoh3NUnk5S17bU5XB84Xw0u3q8VYePy9hi7D8=; b=PnNIdoY0lhj4TTbYm2tvgRjWjzO7VCCCxo+6q+lz1UphstX2PdwOy76OakXWplIizG GinOv4GW9LubNeYWxNG5B6mUT9DMGyoa4dhkW9x1i9QO2w+uD4CIMdKEhgrS3j6r/DxX 6apN6+y0zAucWj2Lm4q6+4OMT8V9U7m7Lob2l4dq6r5KWRijNMvhwwAbZkp3UoiZ0ijc pk80DutD3/T17Lrq5uMpllqvMhaQ+nJwo/An0EjhkZlo+Oa7oVGyi2+lgxFCpO2FBOdr YzEIv5BjXXGvMg9C/Qnz648rLsPrAt/VacGyApX9HwTL8iUPR8d3EocmNvWyxwU48XI5 9TTw== X-Forwarded-Encrypted: i=1; AFNElJ9QZwuMAnmL5xNEBODAMSPmlXF4f3kKPO3agOGu1ekI919uf+MIk1WWm3zqKmTh3PRv/+0GPt7P049YEQQ=@vger.kernel.org X-Gm-Message-State: AOJu0YyxXcYWzNZIP33e6OhUa6DqBAjVsruA3wRo8CNd7fFb1TDN/nLp lRSJeuF0DS8v7VEWn//YpPUi1UB6mb4oZK9QNHTEjjdfurQUjBMwQg6L X-Gm-Gg: AeBDiesSketha2fIXoIXqZp/XWdFTkhyJB//1+nA8jadrPS2efJz0BWpe8o1wMH4Rkw ixDQRqRuklis4mnwQvZdgWvrZzItTSzmlBDpqOpI26AxTDDAbWsxLznl/iJqen2XEMHszj2Ri/3 rsyAWJwdOm9hp/rOpu+fIJAhmd0SY1Y2/8NjVfALI5UA0ab8K+bp6Ta5TkORoKVJWffGWFQyhSf WmIc4nws05gMLoouR0xl9jB8OvFx9RN6Kt3mXYbY/6DYZ8arjl+zxITTRuCqw60IlVk+4mzHOR+ ofmlbK16Gpz8SlCC3Gu9GQyY42CpwFRXRGySxive2/NmpgPQW8rbF6BapUoklg4/lBs/ZwlCJp3 eDHIwaKe8V3x2EDAQexwDKQP0fJ8Ai1iMN+TkmFZuObjLyUDsOm60iZTAmuWLRcXZj90l6GbDyE SbWIJGLeZMgwYyzIPM80g7RFeuYuk9mmoA87dyYfyk37/R2Mt0YlCGRBEbL/OEn5eqpDTqkRyiA HmnZ26RPGSFqE4GehFE1IyEIsmS8+4FBVavQsucv4ROpd+PHGQHiQRBukOfUzz6Ckws X-Received: by 2002:a17:907:c312:b0:b94:1224:c61e with SMTP id a640c23a62f3a-b9d72792e67mr951642366b.14.1776178520284; Tue, 14 Apr 2026 07:55:20 -0700 (PDT) Received: from ahossu.byod.tudelft.net ([145.94.221.163]) by smtp.gmail.com with ESMTPSA id a640c23a62f3a-ba0574b41aesm10101166b.24.2026.04.14.07.55.19 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Tue, 14 Apr 2026 07:55:19 -0700 (PDT) From: Alexandru Hossu To: gregkh@linuxfoundation.org Cc: linux-staging@lists.linux.dev, linux-kernel@vger.kernel.org, dan.carpenter@linaro.org, hansg@kernel.org, stable@vger.kernel.org, hossu.alexandru@gmail.com, Dan Carpenter Subject: [PATCH v2] staging: rtl8723bs: fix missing frame length checks in OnAuthClient Date: Tue, 14 Apr 2026 16:53:50 +0200 Message-ID: <20260414145350.903996-1-hossu.alexandru@gmail.com> X-Mailer: git-send-email 2.53.0 In-Reply-To: <20260413202824.740653-1-hossu.alexandru@gmail.com> References: <20260413202824.740653-1-hossu.alexandru@gmail.com> Precedence: bulk X-Mailing-List: linux-kernel@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 Content-Transfer-Encoding: quoted-printable Content-Type: text/plain; charset="utf-8" OnAuthClient() accesses pframe without first verifying that pkt_len is large enough to contain a valid 802.11 management frame header: - get_da(pframe) reads bytes 4-9, requiring pkt_len >=3D 10 - GetPrivacy(pframe) reads the FC field at bytes 0-1 Additionally, when pkt_len < WLAN_HDR_A3_LEN + _AUTH_IE_OFFSET_ the unsigned subtraction passed to rtw_get_ie() wraps around, causing it to scan well past the end of the buffer. Add an early check against WLAN_HDR_A3_LEN before any pframe access, and a second check against WLAN_HDR_A3_LEN + offset + 6 after computing offset to guard the seq/status reads and the rtw_get_ie() call. Reported-by: Dan Carpenter Fixes: 554c0a3abf21 ("staging: Add rtl8723bs sdio wifi driver") Cc: stable@vger.kernel.org Signed-off-by: Alexandru Hossu --- drivers/staging/rtl8723bs/core/rtw_mlme_ext.c | 6 ++++++ 1 file changed, 6 insertions(+) diff --git a/drivers/staging/rtl8723bs/core/rtw_mlme_ext.c b/drivers/stagin= g/rtl8723bs/core/rtw_mlme_ext.c index 90f27665667a..884cd39ec756 100644 --- a/drivers/staging/rtl8723bs/core/rtw_mlme_ext.c +++ b/drivers/staging/rtl8723bs/core/rtw_mlme_ext.c @@ -860,6 +860,9 @@ unsigned int OnAuthClient(struct adapter *padapter, uni= on recv_frame *precv_fram u8 *pframe =3D precv_frame->u.hdr.rx_data; uint pkt_len =3D precv_frame->u.hdr.len; =20 + if (pkt_len < WLAN_HDR_A3_LEN) + goto authclnt_fail; + /* check A1 matches or not */ if (memcmp(myid(&(padapter->eeprompriv)), get_da(pframe), ETH_ALEN)) return _SUCCESS; @@ -869,6 +872,9 @@ unsigned int OnAuthClient(struct adapter *padapter, uni= on recv_frame *precv_fram =20 offset =3D (GetPrivacy(pframe)) ? 4 : 0; =20 + if (pkt_len < WLAN_HDR_A3_LEN + offset + 6) + goto authclnt_fail; + seq =3D le16_to_cpu(*(__le16 *)((SIZE_PTR)pframe + WLAN_HDR_A3_LEN + offs= et + 2)); status =3D le16_to_cpu(*(__le16 *)((SIZE_PTR)pframe + WLAN_HDR_A3_LEN + o= ffset + 4)); =20 --=20 2.53.0