From nobody Mon Jun 15 23:18:53 2026 Received: from mail-ej1-f45.google.com (mail-ej1-f45.google.com [209.85.218.45]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id 129A2386C1A for ; Tue, 14 Apr 2026 21:41:30 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=209.85.218.45 ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1776202892; cv=none; b=i81JLlOogSX4oQbuJDiAr7uZc21wzjBgKTUIwzy43Mj/r70fTKSb2AF4znBQ3EHG61mrCqNDPNtJkH9ysBu5B2RFrbEypl4BHWlqznbyctRRmRRUW5e2KvXP1HzcPYsfkRM/j7aqs5L62UJ/nmmieGdFbCePLtdv6nNH4NODc14= ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1776202892; c=relaxed/simple; bh=PQj68ATGmmTdxtmG9+aHnMnIKYy/fIeSYUSwhMMyx/c=; h=From:To:Cc:Subject:Date:Message-ID:MIME-Version; b=MTvUqIv+KpW2mmVyt45G0LVrylbSWIxAEDo5gy8TNzWAPQrZUwbiA93zmjaJOJH2bzJ6AfpYcRhAjj5OUe9taVgG/Yo1jc0BNlWolDbRmu82tgaeIm7WzsXF4U4IZY3VlapS0J5YXpfp3Vg1cyw+wlEXEwJb+CDDFA+eTrekHNo= ARC-Authentication-Results: i=1; smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=gmail.com; spf=pass smtp.mailfrom=gmail.com; dkim=pass (2048-bit key) header.d=gmail.com header.i=@gmail.com header.b=ONcfNr9p; arc=none smtp.client-ip=209.85.218.45 Authentication-Results: smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=gmail.com Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=gmail.com Authentication-Results: smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=gmail.com header.i=@gmail.com header.b="ONcfNr9p" Received: by mail-ej1-f45.google.com with SMTP id a640c23a62f3a-b9c280322e0so738869966b.0 for ; Tue, 14 Apr 2026 14:41:30 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20251104; t=1776202889; x=1776807689; darn=vger.kernel.org; h=content-transfer-encoding:mime-version:message-id:date:subject:cc :to:from:from:to:cc:subject:date:message-id:reply-to; bh=0YMw9Ei5H0E6MeFSvivUi1ZBwVNAjcMlXG9C4x//F7M=; b=ONcfNr9p/UZoKIad0320S9svZNIsO4ExW4vbD+QSLb6nPZKPoxl3GvUIB6Z2hXHrKk WjetQUhUz3/1ZuFXmJb9Jax+8SRzWIMlaKid4BuI9JhsxXxRWNVLpm+WhfQc3CzOWmQt XVDyjIub+MdbqlO9F6gvs4qvxe8FsJUehz7hrE6ZBEhS49hjrinkvr1Gu6mT+il3fDst Z5FWCQH66eayrechK1OdfZSHSmgLzFCk/rkixO1fw8XKki6epjNuqpvByNjCsXVqtBp5 ms7e9AS8aJqIHj6LQwELfd/5EgqFr0r1ZZV4h3iwfL1fL/c75y927ZQ4xpMWTIgsAi+C 6Q4g== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20251104; t=1776202889; x=1776807689; h=content-transfer-encoding:mime-version:message-id:date:subject:cc :to:from:x-gm-gg:x-gm-message-state:from:to:cc:subject:date :message-id:reply-to; bh=0YMw9Ei5H0E6MeFSvivUi1ZBwVNAjcMlXG9C4x//F7M=; b=AFz40CTrRwlm/q+5tT6dE8zKcaeuvJOklHXEXTSUbMQAzt2j3O9ViN19V+t3QqrwWg ICLeP/kuZ2YtesFywlL0cV/zx0na6zTK5hQW90lT0s3kQjw+AmZ3ZrrG01ntalHQQyNb CA2kRVME31Ts4jRktESZMwJpRH2+YbNSZ5wHXZSXCygFLF9X9w3tux9l8108p9qrY8Tn NcRvNb+mm/eC1EILmzDwIPE4NNIwBzMdnHIeuvAYRuGMKcrT9BWDd8wWEFXtJghsiAmS 7YHm4ql1f4AhXfO2M4M74ZV6C8txPZCFWYNMYg9PKg+vOLoHrCD1L0wKX2W9/q7BT7YG uIXQ== X-Forwarded-Encrypted: i=1; AFNElJ+tfiAIKuA/MZ3lT4iziH+VI3zgBs/xAkgFV1by7c09iV3mO3KllaNEX/2tNJCPn2piaFaU3nGsTeCtLyQ=@vger.kernel.org X-Gm-Message-State: AOJu0Yyb5bRTu/UYVe6srbzyO508W0sdf14ME1vS9vJZvWnHFFZT0SrG w3Iza+UURvckSwBo7Dhh9aE1anPWakH7Frxcb132PBH4S2AXBuTodTe1 X-Gm-Gg: AeBDiev9nSNU2pOW3Z6Z00tMHleFazCP3dVmfjxtREAprdxBGC3Zx4trh7gsQDbwj4U q8gFs4rZS8C+KAKlf/94oIQmmvq0IKhdtuT5kgi4GQHYxF6MdjoWNtFu6yosFUdWf4c7sZQ62FJ KYdCFI+bDwpaHpa3BowWdCQU+D9xWiQLYDZgHvFb9tFb1FykQhxT4AFnIRZNBG7hKWkKg/SWOtp M+xmGlEGSFhW1lCieT9AmXxfkMRr7jOwJkByRCpeHmuDC9O/ZXaLK9krBmQIFDTjmBy31zZ//k7 J529JRzWMOqwkp2rTwKV3N9wLuVZj6MUACpYE41f04H3eqcYisbsEp79gt9mtsF4N3R+5T+cZdl blhNnfPErpBn/dOtl0wx+32mQ4ZIt4QVAsAxAxe7kdPJiUooInIrsO1kQLiGwmd8oxIdJPAIDqU HQG4InL4Qams/kdHA/e56IyNQn5EOjvvrt32gXIbxv+VLv+cfaoVkkM8q16KQoEPiC15WxU3ySY +Sler6vdVbJ9L7fDWdmqsNaCv8HIoackcHBAHD00XF3u2BO6JN9G/yjiZyOZNl/uI1KMO2pwJ85 uy/QcIiWJe7WwHEG X-Received: by 2002:a17:907:8d8f:b0:b9c:b3b:841c with SMTP id a640c23a62f3a-b9d7279bb5fmr1162103466b.47.1776202889061; Tue, 14 Apr 2026 14:41:29 -0700 (PDT) Received: from ahossu.residents.sin.openfiber.nl ([88.202.160.248]) by smtp.gmail.com with ESMTPSA id a640c23a62f3a-b9d6dfd77f6sm445243766b.21.2026.04.14.14.41.28 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Tue, 14 Apr 2026 14:41:28 -0700 (PDT) From: Alexandru Hossu To: gregkh@linuxfoundation.org Cc: linux-staging@lists.linux.dev, linux-kernel@vger.kernel.org, error27@gmail.com, stable@vger.kernel.org, Alexandru Hossu Subject: [PATCH v2] staging: rtl8723bs: fix missing frame length checks in OnAuthClient Date: Tue, 14 Apr 2026 23:39:59 +0200 Message-ID: <20260414213959.1028301-1-hossu.alexandru@gmail.com> X-Mailer: git-send-email 2.53.0 Precedence: bulk X-Mailing-List: linux-kernel@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 Content-Transfer-Encoding: quoted-printable Content-Type: text/plain; charset="utf-8" OnAuthClient() accesses pframe without first verifying that pkt_len is large enough to contain a valid 802.11 management frame header: - get_da(pframe) reads bytes 4-9, requiring pkt_len >=3D 10 - GetPrivacy(pframe) reads the FC field at bytes 0-1 Additionally, when pkt_len < WLAN_HDR_A3_LEN + _AUTH_IE_OFFSET_ the unsigned subtraction passed to rtw_get_ie() wraps around, causing it to scan well past the end of the buffer. Add an early check against WLAN_HDR_A3_LEN before any pframe access, and a second check against WLAN_HDR_A3_LEN + offset + 6 after computing offset to guard the seq/status reads and the rtw_get_ie() call. Suggested-by: Dan Carpenter Fixes: 554c0a3abf21 ("staging: Add rtl8723bs sdio wifi driver") Cc: stable@vger.kernel.org Signed-off-by: Alexandru Hossu Reviewed-by: Dan Carpenter Reviewed-by: Luka Gejak --- Changes in v2: - Replace incorrect Reported-by tag with Suggested-by: Dan spotted the missing length check during code review of the heap overflow fix; he did not file a separate bug report - Add missing version changelog (the initial submission was incorrectly labeled v2; no v1 was ever sent to the list) drivers/staging/rtl8723bs/core/rtw_mlme_ext.c | 6 ++++++ 1 file changed, 6 insertions(+) diff --git a/drivers/staging/rtl8723bs/core/rtw_mlme_ext.c b/drivers/stagin= g/rtl8723bs/core/rtw_mlme_ext.c index 90f27665667a..884cd39ec756 100644 --- a/drivers/staging/rtl8723bs/core/rtw_mlme_ext.c +++ b/drivers/staging/rtl8723bs/core/rtw_mlme_ext.c @@ -860,6 +860,9 @@ unsigned int OnAuthClient(struct adapter *padapter, uni= on recv_frame *precv_fram u8 *pframe =3D precv_frame->u.hdr.rx_data; uint pkt_len =3D precv_frame->u.hdr.len; =20 + if (pkt_len < WLAN_HDR_A3_LEN) + goto authclnt_fail; + /* check A1 matches or not */ if (memcmp(myid(&(padapter->eeprompriv)), get_da(pframe), ETH_ALEN)) return _SUCCESS; @@ -869,6 +872,9 @@ unsigned int OnAuthClient(struct adapter *padapter, uni= on recv_frame *precv_fram =20 offset =3D (GetPrivacy(pframe)) ? 4 : 0; =20 + if (pkt_len < WLAN_HDR_A3_LEN + offset + 6) + goto authclnt_fail; + seq =3D le16_to_cpu(*(__le16 *)((SIZE_PTR)pframe + WLAN_HDR_A3_LEN + offs= et + 2)); status =3D le16_to_cpu(*(__le16 *)((SIZE_PTR)pframe + WLAN_HDR_A3_LEN + o= ffset + 4)); =20 --=20 2.53.0