From nobody Tue Jun 16 03:46:16 2026 Received: from mail-vk1-f179.google.com (mail-vk1-f179.google.com [209.85.221.179]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id EAD12246BD5 for ; Wed, 15 Apr 2026 18:55:34 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=209.85.221.179 ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1776279336; cv=none; b=SWn42YPzjxjnmK2jI+9UCKxG2JywAIuqVsyzJoxc8aaigM4Nf+kkU3adTo3lEM1fiJitF6BM8UJST7VMr8MUmRa2eZEIaq2OhwgjeQLqrMj9ydVxuZY828LAZlYTIlFXuLz1zS8Z6vzlvQ1Vg6r4zrNSgEFxjq/ziV8gAzYvUcw= ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1776279336; c=relaxed/simple; bh=AMAk3cxwsNhyA2MXfiMcckkHbXFD6bfBWxE14QBYKWM=; h=From:To:Cc:Subject:Date:Message-ID:In-Reply-To:References: MIME-Version; b=HbQL7IqiZyvZoe/BCIzqpfM6DSWvfVe3z6pA61C/ddjKpATDzJUCPDJzvItNWcYxDaWsFFbkREc1RN0TwY9HDR8Nl2Pl79xESuM8E29lj4Du27jmvAe0GWiI92rEmnZ/LeR7rrkAuBlnERcrmL408tYT/7bnVSwuz9dpYUkzpME= ARC-Authentication-Results: i=1; smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=gmail.com; spf=pass smtp.mailfrom=gmail.com; dkim=pass (2048-bit key) header.d=gmail.com header.i=@gmail.com header.b=lHazUc/e; arc=none smtp.client-ip=209.85.221.179 Authentication-Results: smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=gmail.com Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=gmail.com Authentication-Results: smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=gmail.com header.i=@gmail.com header.b="lHazUc/e" Received: by mail-vk1-f179.google.com with SMTP id 71dfb90a1353d-56daad0fdbaso2419609e0c.3 for ; Wed, 15 Apr 2026 11:55:34 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20251104; t=1776279334; x=1776884134; darn=vger.kernel.org; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:from:to:cc:subject:date :message-id:reply-to; bh=ktjLVczqk0oTNjxVLTAvpBd6V50DhQU6m2AdSOXWKC8=; b=lHazUc/eNSMqv4YWeaQiU5VGsgntIEoP0gpWIEjh2u6bxn//dp1XpczN3E+r00l46c NOn8WNdIRSQa2ajMeJW+s0mgvAJiRnCpGA85p0skzznPUOC10au3aWQX2NdVMhMxQY8F 0ENuin8VK5/5D2OFRVSqUi2uxnDbNgA9K2YQH9oLxNQImhgA8LF38uRbTZpJhGJeDUgw f8Kz1VtUJOj1zmO4MYRs4odpgSMiS3oXmXUdGq7MhI5ZuEeXpZzCFC484pCm/D+wvFsa 5c1JGd1ekq63VB3igcxp/lJABcL+KtjamRaWG+KBUvwzQsqjrTAhPMWQcGsVmWI+qi29 IaGQ== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20251104; t=1776279334; x=1776884134; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:x-gm-gg:x-gm-message-state:from :to:cc:subject:date:message-id:reply-to; bh=ktjLVczqk0oTNjxVLTAvpBd6V50DhQU6m2AdSOXWKC8=; b=NJ/n3fWoDs8YLYpXAfcE/y83i1O56VoSwnJYVcTrx2cmUnw4ozBvhcxab+6TuNFnnc 1Afg38Xlp3H6KQDax1HBMJu+02kpbzTIsOqDRr/lbY2e11rB0Uv0yDP167Ppoe2p5fhr 0ufJcM7gtxhKn0o1K48Xf6YZXNWm37eRKCcfh3TfboieQ8pjW2GFU01BHtHCv6zyQ5IK 2raLgMpXkmx3tvd18JJ3MJFAiZLZCAlmJoCYkkqiKU3j6h2796AhbAsy7ReS2QkIyxAE Lne5dVhMVNqazW5cYWQs/1bghDcP+AcAVuQnaEtv9wJifmOuR6ieGGQ5pMujTOfKZzR9 WC7w== X-Forwarded-Encrypted: i=1; AFNElJ/ePxFF3m4wzSsNeGfCBj4C7Rbnsz28kXiG4H/FaqOOyuYJ6Mw+AJ5zpzeP6m8gVRRE2HuN9ARNxXsq7/U=@vger.kernel.org X-Gm-Message-State: AOJu0YzEcFJ0zmHWaX9VARtCEbg1SgsWlpRI6Awht2vdFDsvqYHD6/lW JkViu9H3e2wnBmt2dbezStzQ+KhHU7+QwKMVEdQHqyrMegL7ojjwvm7J X-Gm-Gg: AeBDievmORjACXNvKBUpN4F0tNKDL03FqV0FwZQkHozQa5WWVFimQ02RXZCMuYHikWl WXUEQ1gR7EblIcDXBwy8WkYShv/uG7DQe97u6N8YxG8zSvoKiDYN+Qqh1cdLNrAlmHbFwlDbZ2J mgrGYrSQPddqVd4jpaS9eiJtBdrzKcNxknixxraOQYUCkoumwqmnV/QXNdPteP37TOXte55BLtu HSkeUSOkuhBHV0VDeVArlBkWiB0Jvqn/dCXtL5Sh4L9nqASNItXHRpkHfQG8ozBCM6Lb5UYFL0G UFBpiy2enAdipnOmShbLpLDCFYbQMI3R0IgwPfhZakzvktn3QcpT+tsBz1uGsV0nouOBpvlKmBp cK8DKy/cBTLGBO1HO0TN7GJx+WME0YVYB8OpoZs5oTMJxqBrAgXRZ/XX/08cyYJRN5L6JyKSf0z R6REiTrB0bj6M/rr5r/L24mFH/rSQTphV2irixLKhfsB/2kILCpvjD4qrDYzLHbc0= X-Received: by 2002:a05:6122:2887:b0:56b:5e7e:d3fa with SMTP id 71dfb90a1353d-56f3bbd2603mr10605366e0c.7.1776279333765; Wed, 15 Apr 2026 11:55:33 -0700 (PDT) Received: from localhost.localdomain ([102.244.98.233]) by smtp.gmail.com with ESMTPSA id 71dfb90a1353d-56f89feb56esm1647484e0c.15.2026.04.15.11.55.29 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Wed, 15 Apr 2026 11:55:33 -0700 (PDT) From: Delene Tchio Romuald To: gregkh@linuxfoundation.org Cc: dan.carpenter@linaro.org, error27@gmail.com, luka.gejak@linux.dev, hansg@kernel.org, linux-staging@lists.linux.dev, linux-kernel@vger.kernel.org, stable@vger.kernel.org, Delene Tchio Romuald Subject: [PATCH v4 1/5] staging: rtl8723bs: fix heap buffer overflow in recvframe_defrag() Date: Wed, 15 Apr 2026 19:54:57 +0100 Message-ID: <20260415185501.440492-2-delenetchior1@gmail.com> X-Mailer: git-send-email 2.43.0 In-Reply-To: <20260415185501.440492-1-delenetchior1@gmail.com> References: <20260415185501.440492-1-delenetchior1@gmail.com> Precedence: bulk X-Mailing-List: linux-kernel@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 Content-Transfer-Encoding: quoted-printable Content-Type: text/plain; charset="utf-8" In recvframe_defrag(), a memcpy() copies fragment data into the reassembly buffer before validating that the buffer has sufficient space. If the total reassembled payload exceeds the receive buffer capacity, this results in a heap buffer overflow. Additionally, the return values of recvframe_pull() and recvframe_pull_tail() were ignored. On failure those helpers revert their pointer updates and return NULL; continuing past such a failure would leave pfhdr->rx_tail at its pre-strip value, so the subsequent bounds check against rx_end - rx_tail would operate on stale pointers. An attacker within WiFi radio range can exploit this by sending crafted 802.11 fragmented frames. No authentication is required. Check the return values of recvframe_pull() and recvframe_pull_tail(), then verify that the fragment payload fits within the remaining buffer space before the memcpy(). Found by reviewing memory operations in the driver and tracing buffer pointer manipulation through rtw_recv.h inline helpers. Not tested on hardware. Fixes: 554c0a3abf216 ("staging: Add rtl8723bs sdio wifi driver") Cc: stable@vger.kernel.org Signed-off-by: Delene Tchio Romuald --- v4: check return values of recvframe_pull() and recvframe_pull_tail(); drop unnecessary (uint) cast; add Fixes: tag and Cc: stable (Dan Carpenter). Luka Gejak's Reviewed-by dropped because the code changed. v3: rebased on staging-next; sent as numbered series with proper Cc from get_maintainer.pl. v2: rebased on staging-next (v1 was based on v7.0-rc6 and did not apply). drivers/staging/rtl8723bs/core/rtw_recv.c | 20 +++++++++++++++++--- 1 file changed, 17 insertions(+), 3 deletions(-) diff --git a/drivers/staging/rtl8723bs/core/rtw_recv.c b/drivers/staging/rt= l8723bs/core/rtw_recv.c index f78194d508dfc..a739c2bada2a1 100644 --- a/drivers/staging/rtl8723bs/core/rtw_recv.c +++ b/drivers/staging/rtl8723bs/core/rtw_recv.c @@ -1127,12 +1127,26 @@ static union recv_frame *recvframe_defrag(struct ad= apter *adapter, =20 wlanhdr_offset =3D pnfhdr->attrib.hdrlen + pnfhdr->attrib.iv_len; =20 - recvframe_pull(pnextrframe, wlanhdr_offset); + if (!recvframe_pull(pnextrframe, wlanhdr_offset)) { + rtw_free_recvframe(prframe, pfree_recv_queue); + rtw_free_recvframe_queue(defrag_q, pfree_recv_queue); + return NULL; + } =20 /* append to first fragment frame's tail (if privacy frame, pull the IC= V) */ - recvframe_pull_tail(prframe, pfhdr->attrib.icv_len); + if (!recvframe_pull_tail(prframe, pfhdr->attrib.icv_len)) { + rtw_free_recvframe(prframe, pfree_recv_queue); + rtw_free_recvframe_queue(defrag_q, pfree_recv_queue); + return NULL; + } + + /* Verify the receiving buffer has enough space for the fragment */ + if (pnfhdr->len > pfhdr->rx_end - pfhdr->rx_tail) { + rtw_free_recvframe(prframe, pfree_recv_queue); + rtw_free_recvframe_queue(defrag_q, pfree_recv_queue); + return NULL; + } =20 - /* memcpy */ memcpy(pfhdr->rx_tail, pnfhdr->rx_data, pnfhdr->len); =20 recvframe_put(prframe, pnfhdr->len); --=20 2.43.0 From nobody Tue Jun 16 03:46:16 2026 Received: from mail-vk1-f178.google.com (mail-vk1-f178.google.com [209.85.221.178]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id 8020B3264C0 for ; Wed, 15 Apr 2026 18:55:42 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=209.85.221.178 ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1776279343; cv=none; b=j4WQJwYFS3+04TNa2sKBf4UktA2eFMdOJHux3L6a7vDX1yaLNo/F3ojfvw6hmMAOOgsreiDswK0dMNvSVLHVJOvwnlBHI6T8qQppdKOkI/BOl9scD7ad02HGYu0r60vC426CLCPuMVgrFWzrSgVE1UDWczNK5CwTROpSseG90P0= ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1776279343; c=relaxed/simple; bh=kee6pbbq1bKjVuBAwdRzjCmNWCqmGfS5nrlDM8rV3Cc=; h=From:To:Cc:Subject:Date:Message-ID:In-Reply-To:References: MIME-Version; b=fSeH/pZNapH7Z0PjWoHC7ea2uZTkOYESvPxMh7eyuql7fgKKWcGVALNENn60QFhfrVy6HiStZ7TNwhB7s3poPgSUvGqR+lipAl5XBfqzDa+pbR2dG0ykv+dukk8hMU89fZUJELGW8nye0o1I0h5dqgxBbAMgCDFsH3vWKuHYVGk= ARC-Authentication-Results: i=1; smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=gmail.com; spf=pass smtp.mailfrom=gmail.com; dkim=pass (2048-bit key) header.d=gmail.com header.i=@gmail.com header.b=nMBNwEmg; arc=none smtp.client-ip=209.85.221.178 Authentication-Results: smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=gmail.com Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=gmail.com Authentication-Results: smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=gmail.com header.i=@gmail.com header.b="nMBNwEmg" Received: by mail-vk1-f178.google.com with SMTP id 71dfb90a1353d-56d93355337so4850701e0c.0 for ; Wed, 15 Apr 2026 11:55:42 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20251104; t=1776279341; x=1776884141; darn=vger.kernel.org; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:from:to:cc:subject:date :message-id:reply-to; bh=T+PR/aM2xSbHpLOL6UFAg/lfaAMBhnbURgd6cWiN+HY=; b=nMBNwEmgX+B6iIhJYr0vsyE/CoMMNMHVYwtdDzq3fDO+RvXJjs2+D2tJcv2nDag7RB WzZTuB3PeD6+nQYND6IhnxPQr5ewSapbLdSOI4akB1CThGbLv1yZ+aygixnHec4/0occ 9bva7s91+Pnaimy/omRLBZUH2CiBvh5KUehB41+SnYDA0yFX63gNuA4vfwrRhit1p+rO WQUHVD/twYspFjnAa2vBVq3SN76bjVFz14Mi6r8C0IR5IlMgjVKhnX6O1JG0DoSfAV5K /tJKvvRCJ5S53HV8wO5EphPB3hUoz95dh+4pZ9GD/Shd+GBV+7QKLOFkgGAg9fkH9ILC 1Pcg== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20251104; t=1776279341; x=1776884141; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:x-gm-gg:x-gm-message-state:from :to:cc:subject:date:message-id:reply-to; bh=T+PR/aM2xSbHpLOL6UFAg/lfaAMBhnbURgd6cWiN+HY=; b=XSfUO0h3efsGC+jRLRunOwEdQrd5C/ebqw5AFb7kaSzYOt20NCQutc3Qq2gvoXTam0 nkfvBvI34wJuASi2l26TLKZKsWuntG1gxIzpIUD3k8gmrJLMMzseeCt1Rwzr7XGBmfLL qE/c/lFDHfDHkMZRlsPL6/rIUxwYMyRcrVMwfZx+mvr1UX6YalNR8+YMummB5ezzsH/U W6U/m+DSjQDLcR9MbPBH4+FN22zO0nuTR2wOegXSwp+tlVB6OP2O31NTfFl8QTsxuTku YBo4H8jsXwfhcda43hOujsYZ6UgwaO8taEvEfZOmRulVMFiASkNMb1gijJwSfeX8OzJC KcMA== X-Forwarded-Encrypted: i=1; AFNElJ84G1c3a7rTEhea+KnhxHZ8ojRSYeWxwbEpBBkr4X2hik9bccnO39kzUNJ1evsMVWTVQNRoAKTlvXyKp/4=@vger.kernel.org X-Gm-Message-State: AOJu0YzqUHmVwfRD9xBRWAbVOSB2/ksCaffGTT+3F2CH37Mb58Ezv6JR Yw+9Chj+5qXNMZ/6JPDxmoO3DDAG5ACH4SIRyQSJHPM9+tyoeyCOmBEs X-Gm-Gg: AeBDietfy3x2lE1aXQVtZm9uhz/Po7N/bABENlO1mVPQ0m49SU7LCa6rsVNDpUgIrqR 4C7fv9krPyQQqXFH0o1KJokFN70wDou8a+oByO558E/qXQu+rujXq0IAYrcMVXFy3chyBZH/W6+ dTxwoktbTEwbeiJPPTXms0ZIlVPhLUirG9KMDzraq4ET1y9XjcFzDKB38vYpakcCMg240xGi+fq YhgfrYN19TkRtTnfTuuXHtHv7PE2XFcfv0vUsYWBnldUONJRmsazgdu/xUgsDnAIpRzJubly6TS vzhlna+Uo+1VhMLNUitIEY4VylL75Kv1m5MzKKV55HLlNv31WFPxz87qTxfKh1FVw1MXMsxyimV 0ZCLKkBHywkMLPnS7Bf3/ElLGWgWRNj67znS3iRiwo0y+oeHX+p58QUJaopHdcqk5cVv8U5ONak FB1E8Hal/4Polr67XlS5HpeqXojdgQQ6xPxhYxSLjHCOWDqejztfO4 X-Received: by 2002:a05:6122:1b8c:b0:56f:1f3a:a7c8 with SMTP id 71dfb90a1353d-56f3b9eac7dmr11469912e0c.0.1776279341518; Wed, 15 Apr 2026 11:55:41 -0700 (PDT) Received: from localhost.localdomain ([102.244.98.233]) by smtp.gmail.com with ESMTPSA id 71dfb90a1353d-56f89feb56esm1647484e0c.15.2026.04.15.11.55.35 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Wed, 15 Apr 2026 11:55:41 -0700 (PDT) From: Delene Tchio Romuald To: gregkh@linuxfoundation.org Cc: dan.carpenter@linaro.org, error27@gmail.com, luka.gejak@linux.dev, hansg@kernel.org, linux-staging@lists.linux.dev, linux-kernel@vger.kernel.org, stable@vger.kernel.org, Delene Tchio Romuald Subject: [PATCH v4 2/5] staging: rtl8723bs: fix integer underflow in TKIP MIC verification Date: Wed, 15 Apr 2026 19:54:58 +0100 Message-ID: <20260415185501.440492-3-delenetchior1@gmail.com> X-Mailer: git-send-email 2.43.0 In-Reply-To: <20260415185501.440492-1-delenetchior1@gmail.com> References: <20260415185501.440492-1-delenetchior1@gmail.com> Precedence: bulk X-Mailing-List: linux-kernel@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 Content-Transfer-Encoding: quoted-printable Content-Type: text/plain; charset="utf-8" In recvframe_chkmic(), the payload length is computed as: datalen =3D precvframe->u.hdr.len - prxattrib->hdrlen - prxattrib->iv_len - prxattrib->icv_len - 8; All operands are unsigned. If the receive frame is shorter than the sum of the header, IV, ICV and MIC sizes, this subtraction wraps around and datalen becomes a huge unsigned value. That value is then passed to rtw_secmicappend(), which reads past the end of the receive buffer and can leak kernel memory or trigger a crash. An attacker within WiFi radio range can exploit this by sending a crafted short TKIP-encrypted frame. No authentication is required. Validate that the frame is large enough for the TKIP MIC computation before the subtraction. Found by reviewing length arithmetic in the TKIP receive path. Not tested on hardware. Fixes: 554c0a3abf216 ("staging: Add rtl8723bs sdio wifi driver") Cc: stable@vger.kernel.org Reviewed-by: Luka Gejak Signed-off-by: Delene Tchio Romuald --- v4: add Fixes: tag and Cc: stable (Dan Carpenter); carry Luka Gejak's Reviewed-by. v3: rebased on staging-next; sent as numbered series with proper Cc from get_maintainer.pl. v2: rebased on staging-next (v1 was based on v7.0-rc6 and did not apply). drivers/staging/rtl8723bs/core/rtw_recv.c | 7 +++++++ 1 file changed, 7 insertions(+) diff --git a/drivers/staging/rtl8723bs/core/rtw_recv.c b/drivers/staging/rt= l8723bs/core/rtw_recv.c index a739c2bada2a1..00b69571bbb83 100644 --- a/drivers/staging/rtl8723bs/core/rtw_recv.c +++ b/drivers/staging/rtl8723bs/core/rtw_recv.c @@ -390,6 +390,13 @@ static signed int recvframe_chkmic(struct adapter *ada= pter, union recv_frame *p mickey =3D &stainfo->dot11tkiprxmickey.skey[0]; } =20 + /* Ensure the frame is large enough for TKIP MIC verification */ + if (precvframe->u.hdr.len <=3D prxattrib->hdrlen + + prxattrib->iv_len + prxattrib->icv_len + 8) { + res =3D _FAIL; + goto exit; + } + datalen =3D precvframe->u.hdr.len - prxattrib->hdrlen - prxattrib->iv_l= en - prxattrib->icv_len - 8;/* icv_len included the mic code */ pframe =3D precvframe->u.hdr.rx_data; payload =3D pframe + prxattrib->hdrlen + prxattrib->iv_len; --=20 2.43.0 From nobody Tue Jun 16 03:46:16 2026 Received: from mail-vk1-f173.google.com (mail-vk1-f173.google.com [209.85.221.173]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id 820A83264C0 for ; Wed, 15 Apr 2026 18:55:48 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=209.85.221.173 ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1776279349; cv=none; b=Y9TKRWDdbeyiWhEEybOv3WRtWc+SxiIK22DE/q5JN3j+kjYL6UPbPcjkOOzOlGSdGj2jdqJu/3IgneuxFqiyB7Gm0dj+rJWlTU5e6c3FkIC8MU2gr6BnoKa/lFRmtynhHRdmRHP47Wsap0lW1tlmahkrJGvYUcnlEK8vNwJ1N5c= ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1776279349; c=relaxed/simple; bh=Fd2F7C28NBMqNA7NBSvFz00bwpJ9oafZoR1UGpaikho=; h=From:To:Cc:Subject:Date:Message-ID:In-Reply-To:References: MIME-Version; b=DczHsrnEFRNB7j7JtBoUJA6I0qAbYfGXETphP0pBp41QbTgua8PvrJsqgaZ/nhtEfYLOuLSXVEe+qunoyzRfSdu0gzBPih/zoHaguNw+zUFQpoR1JT7mpvvEZnwp8lQ9SAcUm3/H2QLNdJruzRgiqVYQ28qkocgMi5JvmLFxSKs= ARC-Authentication-Results: i=1; smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=gmail.com; spf=pass smtp.mailfrom=gmail.com; dkim=pass (2048-bit key) header.d=gmail.com header.i=@gmail.com header.b=OqqQ7ElU; arc=none smtp.client-ip=209.85.221.173 Authentication-Results: smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=gmail.com Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=gmail.com Authentication-Results: smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=gmail.com header.i=@gmail.com header.b="OqqQ7ElU" Received: by mail-vk1-f173.google.com with SMTP id 71dfb90a1353d-56a9076813bso3464047e0c.3 for ; Wed, 15 Apr 2026 11:55:48 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20251104; t=1776279347; x=1776884147; darn=vger.kernel.org; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:from:to:cc:subject:date :message-id:reply-to; bh=6YWqAx6Tf+rAcS8XG7Epy7pp0WO11keOg96xigh14Ss=; b=OqqQ7ElUaRrx6kjYKxLgahroiU6Bb2wtur14s5j/3v/tq0uKrXLIWXommn70iFXqTS 1xvB+nOe+iEAuvOPDCewbTc3iXVmU7HerxbgPmm3vMTMEa/uqyz/DjQF0ZGAWZyj8Ja6 Ne0/0ba8CzJoeXYhv2dZKp6g2yCunetK09aPZAKykfpT5hiSwdjksZ22AFi4PDHg5jlT DWKi0MgTvmsmAAMQTxf4Lv1rw5kwCJUju+U2ZkP6FYX5b14i2HpRZOTPgXC+MK3jugEY g7xxOO+k5xx8cVmqOW9bWA6dvbZ2wjVrGmYNkjgFYOyjsC2mcF7mPoJ1SKF6ixTbOPEC jZTg== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20251104; t=1776279347; x=1776884147; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:x-gm-gg:x-gm-message-state:from :to:cc:subject:date:message-id:reply-to; bh=6YWqAx6Tf+rAcS8XG7Epy7pp0WO11keOg96xigh14Ss=; b=A/D/MZIM5S/Tyj/oCvre0DiUNYhl/1vY8k0IK/ZPcNq3RWhppBxhewpJ2JaphxLiXG xA9iP4fWl1qgVzz1sTWxgGXEfzF0nxDEPTb9VGA6LYnbfl5jrSK0W/zlUWNxgRV5QLNN TbNZP0+bVbdhNKY+3QTq4rFO3lBjjtZekMVOa06m8FphPdQm4XJy/qpA5gRMt3Aggn97 gi7/0o2B0HLS4XT5PocutCzEm9+7y//VH/B+cvyN79APhbouz+mPP8R8boayoz0ttz88 HDUqwjb73xyWmrkFf4Ol/bFI67Apn46tl2do4+5stzAnu/qO09iH6qErjr9E6xbSox38 i8pQ== X-Forwarded-Encrypted: i=1; AFNElJ89KJyHFfjQKhRyVJsl3ZWL4mR6rDZxcGFMOxCXFh+yTrHJinogzAeBN4EOYGEPaAw7w7D/OPLQhOcLkk8=@vger.kernel.org X-Gm-Message-State: AOJu0YxqLerbWsUJUN8nP906iTzw1wuI9F0m1DGg/Yo7a615PBItOOYk dI4aTzMGA/bC5Zyv1l/KMQ9iCnuMaT41I/ai4OR03UJ1+16kDxfBMud5 X-Gm-Gg: AeBDiesKBKmzkrAxT5ABh40z+NMOklmODCqxT6gVU1W5rdT7+tABJkStZ4OepjNTLkX lw/IWDSKpenI9wSznKwFW9XIAre/ZA8apU9f9fkHKVhkeSB4FkgmtTefxQduPgFCnwRShlq7s/D Ri7D/6R5VfRizFygdSkFl4HeHmQJiYDX+YPhTYEJjMUhrhQdq0rJVJVxTOXo1xmSOA5Ow/IqTGt Io7gVvJGRTfHO7c/VuARkay/cfePc09erRzDk02VCoJX3yeH0K9aD+ddR1O+dL8Imh6hgpC/4AD URF0tZ1fbGFMSPQsXclzzppDd8dYcBb6ALn1GC6nF6vqqRgCiviAPDTaPVORi1+MJozXlyqkQzG ZfEdw0lQz6A+JQGOs/6jgf2XL3/Ti2tVEps7ar7+q+AIXMaTqQuqx4Eh/P6ch00IlNq/Ih76uo5 oPvxKXjhEeoI9ZT1KydNaJAaKhDHR/lUFPjlUaY/XY5yMCZgiJowwK X-Received: by 2002:a05:6122:8483:b0:56f:6add:9041 with SMTP id 71dfb90a1353d-56f6adda1bbmr4615042e0c.11.1776279347467; Wed, 15 Apr 2026 11:55:47 -0700 (PDT) Received: from localhost.localdomain ([102.244.98.233]) by smtp.gmail.com with ESMTPSA id 71dfb90a1353d-56f89feb56esm1647484e0c.15.2026.04.15.11.55.42 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Wed, 15 Apr 2026 11:55:47 -0700 (PDT) From: Delene Tchio Romuald To: gregkh@linuxfoundation.org Cc: dan.carpenter@linaro.org, error27@gmail.com, luka.gejak@linux.dev, hansg@kernel.org, linux-staging@lists.linux.dev, linux-kernel@vger.kernel.org, stable@vger.kernel.org, Delene Tchio Romuald Subject: [PATCH v4 3/5] staging: rtl8723bs: fix out-of-bounds read in portctrl() Date: Wed, 15 Apr 2026 19:54:59 +0100 Message-ID: <20260415185501.440492-4-delenetchior1@gmail.com> X-Mailer: git-send-email 2.43.0 In-Reply-To: <20260415185501.440492-1-delenetchior1@gmail.com> References: <20260415185501.440492-1-delenetchior1@gmail.com> Precedence: bulk X-Mailing-List: linux-kernel@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 Content-Transfer-Encoding: quoted-printable Content-Type: text/plain; charset="utf-8" In portctrl(), when 802.1X port control is enabled and a non-EAPOL frame is received, the ether_type is read from the LLC header without verifying that the frame actually contains enough bytes to hold the MAC header, IV and the LLC header plus two bytes of ether_type. For sufficiently short frames, the memcpy() that loads be_tmp reads past the end of the receive buffer. An attacker within WiFi radio range can exploit this by sending a crafted short frame. No authentication is required. Validate the frame length before dereferencing the LLC header; drop the frame if it is too short. Found by reviewing length validation in the receive path. Not tested on hardware. Fixes: 554c0a3abf216 ("staging: Add rtl8723bs sdio wifi driver") Cc: stable@vger.kernel.org Reviewed-by: Luka Gejak Signed-off-by: Delene Tchio Romuald --- v4: add Fixes: tag and Cc: stable (Dan Carpenter); carry Luka Gejak's Reviewed-by. v3: rebased on staging-next; sent as numbered series with proper Cc from get_maintainer.pl. v2: rebased on staging-next (v1 was based on v7.0-rc6 and did not apply). drivers/staging/rtl8723bs/core/rtw_recv.c | 28 +++++++++++++++-------- 1 file changed, 18 insertions(+), 10 deletions(-) diff --git a/drivers/staging/rtl8723bs/core/rtw_recv.c b/drivers/staging/rt= l8723bs/core/rtw_recv.c index 00b69571bbb83..c0a1c2ab710ee 100644 --- a/drivers/staging/rtl8723bs/core/rtw_recv.c +++ b/drivers/staging/rtl8723bs/core/rtw_recv.c @@ -539,17 +539,25 @@ static union recv_frame *portctrl(struct adapter *ada= pter, union recv_frame *pre =20 prtnframe =3D precv_frame; =20 - /* get ether_type */ - ptr =3D ptr + pfhdr->attrib.hdrlen + pfhdr->attrib.iv_len + LLC_HEADER_= LENGTH; - memcpy(&be_tmp, ptr, 2); - ether_type =3D ntohs(be_tmp); - - if (ether_type =3D=3D eapol_type) - prtnframe =3D precv_frame; - else { - /* free this frame */ - rtw_free_recvframe(precv_frame, &adapter->recvpriv.free_recv_queue); + /* Ensure frame has LLC header and ether_type */ + if (pfhdr->len < pattrib->hdrlen + + pattrib->iv_len + LLC_HEADER_LENGTH + 2) { + rtw_free_recvframe(precv_frame, + &adapter->recvpriv.free_recv_queue); prtnframe =3D NULL; + } else { + /* get ether_type */ + ptr +=3D pattrib->hdrlen + + pattrib->iv_len + + LLC_HEADER_LENGTH; + memcpy(&be_tmp, ptr, 2); + ether_type =3D ntohs(be_tmp); + + if (ether_type !=3D eapol_type) { + rtw_free_recvframe(precv_frame, + &adapter->recvpriv.free_recv_queue); + prtnframe =3D NULL; + } } } else { /* allowed */ --=20 2.43.0 From nobody Tue Jun 16 03:46:16 2026 Received: from mail-vk1-f171.google.com (mail-vk1-f171.google.com [209.85.221.171]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id 4F79C3195E4 for ; Wed, 15 Apr 2026 18:55:54 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=209.85.221.171 ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1776279355; cv=none; b=hG6ludFl6fLiEjJGMxfkenYCRmDPG+7s5lU6Wi7Y7ODi9r8b8pUCffa9qHeGv9zHM5i49UVfJ7FsvxfPnRa9/QiQNYkGO5jPn5ITizjbakez7McSUzP4MnyIfHMdiqOf+Pgubz+jh+fe/nWxECcoE743BxdkUmQyX+bU/LRHsWs= ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1776279355; c=relaxed/simple; bh=4reUDLZlj/PYeJKnXw0RmQ0kJhkc5fPrtbvWTnUv6GQ=; h=From:To:Cc:Subject:Date:Message-ID:In-Reply-To:References: MIME-Version; b=Bm6tn7XqsAG+hV1FAlU2KkadD7fdlb9bOPtxspCZBwUC9/VPD3AbLnPSGmbHj3yUO1Lswc+WH5AoZS0Oq6gkAQyo09hQ/gQJVpb8e/B/0yD4F8S8whosnEwf8GQdZWzEvcslA61jlaLt1XlEeAso0MXosMfS/wONCDJ8w2BMBRM= ARC-Authentication-Results: i=1; smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=gmail.com; spf=pass smtp.mailfrom=gmail.com; dkim=pass (2048-bit key) header.d=gmail.com header.i=@gmail.com header.b=qWgkmywJ; arc=none smtp.client-ip=209.85.221.171 Authentication-Results: smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=gmail.com Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=gmail.com Authentication-Results: smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=gmail.com header.i=@gmail.com header.b="qWgkmywJ" Received: by mail-vk1-f171.google.com with SMTP id 71dfb90a1353d-56adf76631cso2977826e0c.1 for ; Wed, 15 Apr 2026 11:55:54 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20251104; t=1776279353; x=1776884153; darn=vger.kernel.org; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:from:to:cc:subject:date :message-id:reply-to; bh=V2swcOybNQxoOTEXoSldGalBD6IDZJiaiZhIwmr4O4s=; b=qWgkmywJmqGG+LnJwWRfu5+muqT0KleNzTmhKphKXxA5yXx0ROuoi2WAkBVG5GSHbI L1gR+UpdwBE7l6zYWle3umxs9AynvmUe6ab41TDH2mE6W9n/vdkTTuMlI92QowP++xTj MXiVpLYNvr1vwNIUabHfsMInpUypS0QM47MUmPBqHa+OqWxrXrOFgXnhSx70GA1yU5Hb cO3h0dJFE7ad+z+WJC4qla0ofdkOnPpgwr9sy2oQHwgCXFY0575jwty3yxw1OxV//lF4 9I8KMXX0C4RFczQbSXtDYAQIAWS94ar/wAcwQ75EV5XjblxFbB8K1XxCcBYvvJcFdbV1 PFkw== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20251104; t=1776279353; x=1776884153; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:x-gm-gg:x-gm-message-state:from :to:cc:subject:date:message-id:reply-to; bh=V2swcOybNQxoOTEXoSldGalBD6IDZJiaiZhIwmr4O4s=; b=r50okdFSKU6cLt4HuTzRSzlxLx2KfVpOizg0ffOWjQPjF91snAAtVbN48xOCe9XJOT ZY/NP86eIJJgRiTTZHXy++GU1u3vGtfjY/PP54ayPrO5Sr2T/U6u/h0WIp9ymcxJr9BA QYUx5+fQ9hYPlnGmj3lNvT/HGSmwtyKpT1skN3F7TSeJHZ1WCljx72+Z4VlQ2tJ0IrKw zRHv2Iiz3L1wCWeuvT0WYNd5RiUfKbEcyrue9CW/WxcuNKV6wNjH1Yxv0rStQSr8xWUK DEP39ZDMUmzSuJSmn/y4ut3OmHY3TIecA5cPdx5tjzxHlp6XOQIugCHLTWuD6z/Aebtn a7hw== X-Forwarded-Encrypted: i=1; AFNElJ+Aukodcup9q6gBV8eDbfQSrKpBg0tG36b6QSvxdceJoWZnLYfCz4A9Y3EVrP+tFnxnsF9rKga5CO4Qaes=@vger.kernel.org X-Gm-Message-State: AOJu0YylDmF19FlZwPQ39cQ779bLX6Wu1uDRUwc14UBaQQN/0e18Ym/m /0e2Rd0TB1190XPaiq+BmOvCtiZ6/+Rjh1LHbDYcaBbPf2/wrd55ncT2 X-Gm-Gg: AeBDievq8+5Deed00OGO1iOwniG+lbn9tt/l3RQ+W/64ZNmeWcCfvOL+QIYqxhA+Nis 34xAnBPPEx6M01x3wzUb3aCCpHJ5Lt/0veYdsGTnLScyrei4ouVr+2J5qJr+dXG83EqhCkXpSJQ 2c5pZbSa0O5TUfcLwrt8q71Ji8schFWzkGvx1M57BjcR/SwzRLYJZfEI64ut8dDb+b388PJyx5Q aRcL39XQVk4EZh9mY0TemL37ktAACt67Mc0u4yEndi9c0R+vYfHvCfVjzsiwSWbZvGa0ouBXf2Z adIWH7BOdQwDzVgc4+dXbWZOAwme14+ujGnSFYw50R57KslIgyoaxaxMRrteAgthWpuBSk85mcB lfBvnC6eX4CPxhWLnKyuw0KtmUzoPY2+0nnREShKwVRgAWYRMtJgro3jVQFD9IWCNQNIOq6f/If FiYPIdrVhQSmbclZfZCl1oFg9z4fD61/KANh0xmmRett9dKN/Wd3PL X-Received: by 2002:a05:6122:1d4c:b0:56a:fff5:b4d6 with SMTP id 71dfb90a1353d-56f3bb66d4cmr10771333e0c.4.1776279353283; Wed, 15 Apr 2026 11:55:53 -0700 (PDT) Received: from localhost.localdomain ([102.244.98.233]) by smtp.gmail.com with ESMTPSA id 71dfb90a1353d-56f89feb56esm1647484e0c.15.2026.04.15.11.55.48 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Wed, 15 Apr 2026 11:55:52 -0700 (PDT) From: Delene Tchio Romuald To: gregkh@linuxfoundation.org Cc: dan.carpenter@linaro.org, error27@gmail.com, luka.gejak@linux.dev, hansg@kernel.org, linux-staging@lists.linux.dev, linux-kernel@vger.kernel.org, stable@vger.kernel.org, Delene Tchio Romuald Subject: [PATCH v4 4/5] staging: rtl8723bs: fix out-of-bounds reads in IE parsing functions Date: Wed, 15 Apr 2026 19:55:00 +0100 Message-ID: <20260415185501.440492-5-delenetchior1@gmail.com> X-Mailer: git-send-email 2.43.0 In-Reply-To: <20260415185501.440492-1-delenetchior1@gmail.com> References: <20260415185501.440492-1-delenetchior1@gmail.com> Precedence: bulk X-Mailing-List: linux-kernel@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 Content-Transfer-Encoding: quoted-printable Content-Type: text/plain; charset="utf-8" rtw_get_wapi_ie(), rtw_get_sec_ie() and rtw_get_wps_ie() walk a buffer of Information Elements using the TLV length field without first verifying that the length byte itself is inside the buffer, and without verifying that the element's declared length fits inside the remaining buffer. Both conditions can be reached with crafted input, causing reads past the end of the buffer. An attacker within WiFi radio range can exploit this by sending crafted beacon or probe-response frames carrying truncated or oversized IEs. No authentication is required. Ensure the length byte is inside the buffer (cnt + 1 < in_len) and break out of the loop if the declared element length would read past in_len. Found by reviewing bounds checks in IE walkers. Not tested on hardware. Fixes: 554c0a3abf216 ("staging: Add rtl8723bs sdio wifi driver") Cc: stable@vger.kernel.org Reviewed-by: Luka Gejak Signed-off-by: Delene Tchio Romuald --- v4: add Fixes: tag and Cc: stable (Dan Carpenter); carry Luka Gejak's Reviewed-by. v3: rebased on staging-next; sent as numbered series with proper Cc from get_maintainer.pl. v2: rebased on staging-next (v1 was based on v7.0-rc6 and did not apply). drivers/staging/rtl8723bs/core/rtw_ieee80211.c | 15 ++++++++++++--- 1 file changed, 12 insertions(+), 3 deletions(-) diff --git a/drivers/staging/rtl8723bs/core/rtw_ieee80211.c b/drivers/stagi= ng/rtl8723bs/core/rtw_ieee80211.c index 72b7f731dd471..e0fed3f42de0c 100644 --- a/drivers/staging/rtl8723bs/core/rtw_ieee80211.c +++ b/drivers/staging/rtl8723bs/core/rtw_ieee80211.c @@ -582,9 +582,12 @@ int rtw_get_wapi_ie(u8 *in_ie, uint in_len, u8 *wapi_i= e, u16 *wapi_len) =20 cnt =3D (_TIMESTAMP_ + _BEACON_ITERVAL_ + _CAPABILITY_); =20 - while (cnt < in_len) { + while (cnt + 1 < in_len) { authmode =3D in_ie[cnt]; =20 + if (cnt + 2 + in_ie[cnt + 1] > in_len) + break; + if (authmode =3D=3D WLAN_EID_BSS_AC_ACCESS_DELAY && (!memcmp(&in_ie[cnt + 6], wapi_oui1, 4) || !memcmp(&in_ie[cnt + 6], wapi_oui2, 4))) { @@ -615,9 +618,12 @@ void rtw_get_sec_ie(u8 *in_ie, uint in_len, u8 *rsn_ie= , u16 *rsn_len, u8 *wpa_ie =20 cnt =3D (_TIMESTAMP_ + _BEACON_ITERVAL_ + _CAPABILITY_); =20 - while (cnt < in_len) { + while (cnt + 1 < in_len) { authmode =3D in_ie[cnt]; =20 + if (cnt + 2 + in_ie[cnt + 1] > in_len) + break; + if ((authmode =3D=3D WLAN_EID_VENDOR_SPECIFIC) && (!memcmp(&in_ie[cnt + 2], &wpa_oui[0], 4))) { if (wpa_ie) @@ -658,9 +664,12 @@ u8 *rtw_get_wps_ie(u8 *in_ie, uint in_len, u8 *wps_ie,= uint *wps_ielen) =20 cnt =3D 0; =20 - while (cnt < in_len) { + while (cnt + 1 < in_len) { eid =3D in_ie[cnt]; =20 + if (cnt + 2 + in_ie[cnt + 1] > in_len) + break; + if ((eid =3D=3D WLAN_EID_VENDOR_SPECIFIC) && (!memcmp(&in_ie[cnt + 2], w= ps_oui, 4))) { wpsie_ptr =3D &in_ie[cnt]; =20 --=20 2.43.0 From nobody Tue Jun 16 03:46:16 2026 Received: from mail-vk1-f174.google.com (mail-vk1-f174.google.com [209.85.221.174]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id 3DE0421CC4F for ; Wed, 15 Apr 2026 18:56:01 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=209.85.221.174 ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1776279362; cv=none; b=sGBDD83llADaCzjecNDKEI2+uP+ZYdyjI7tNMgHmw7dHOeKoJjqDGe1wQS6867Ra2aqgcQ1wGvpejX8hl0awYzIyRqzS4uNRYivThWr9mMq358X9hzbOMGoTmd4zAJLXLsrXcLCfOI+959XgaGA2Nb5YJ3YfuUoWtmGFN1RYsJA= ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1776279362; c=relaxed/simple; bh=qDgAnsBoeU7H8hWJYwfJld1PdWPKZ6IzYlZmakmFvzo=; h=From:To:Cc:Subject:Date:Message-ID:In-Reply-To:References: MIME-Version; b=hRRKMjXTzxT1mSRz96JaeIL0IxstQdarJHUk9AxOcAkv2BhslUkeiXHdWPmP/k8AzShiWV/p/+M9mqb9UuaeU+J6lK/KaIheDFtgYMthYhZb4iTmSjobsRU+j4MKO+wjLLAudtGxBxwVUimx8DAlRlDcCZI1gD5c/RygWKlgr/E= ARC-Authentication-Results: i=1; smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=gmail.com; spf=pass smtp.mailfrom=gmail.com; dkim=pass (2048-bit key) header.d=gmail.com header.i=@gmail.com header.b=pLlFVF+S; arc=none smtp.client-ip=209.85.221.174 Authentication-Results: smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=gmail.com Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=gmail.com Authentication-Results: smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=gmail.com header.i=@gmail.com header.b="pLlFVF+S" Received: by mail-vk1-f174.google.com with SMTP id 71dfb90a1353d-56adf76631cso2977890e0c.1 for ; Wed, 15 Apr 2026 11:56:01 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20251104; t=1776279360; x=1776884160; darn=vger.kernel.org; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:from:to:cc:subject:date :message-id:reply-to; bh=terxqci1pBdDnjeH/sF4SrPTjsWluedBaTM7xGqnc9A=; b=pLlFVF+Sw/y4YDyLOcXP2eUxw4oOGcO6vRhjfsSquWIepcewlPV0caMqrm7Zj3DYTs Vru9q2OvUyNT/hhpytMr0gvA2JIv0EawBDftd6IslCyUMMdpuRuds7d6ApQzF2kWZ1zI MygZ4n+pCP+jM+EOzuPfsKqyrQWF3AYu5J0f3OK4UDY6AeLZD3XfVZDLrxj63/VMJIUW IIuIF4IVVoM/zTDDE0nKDq/5LBmSYGyE9E5w+hFh5sKdcjYllAZj9gugl9XD3+i1vV2Y Sv1+MANIj6wgQMJLXrfC83s35Q4Qrj6Rg45cnacurVYO6ysNSS91NOShi6Wr2+9gSHHz abgw== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20251104; t=1776279360; x=1776884160; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:x-gm-gg:x-gm-message-state:from :to:cc:subject:date:message-id:reply-to; bh=terxqci1pBdDnjeH/sF4SrPTjsWluedBaTM7xGqnc9A=; b=laAxyNsKjFBdj7tyy0v4IaXoVUm/YaN00QGPRN0onsIoIHYsG4lnmFYQTfUHU0pt99 Tzh6PZzBago8JThKSFbSV4s1I3nXcttQINt1rB9ckGFkO8wh3xXu2TQeRmVN/uqNv3U5 KY1yoKYCsNctNRg3yFyGYxKrHDtebIBAx5o9lg0+Tqg1c+i4q0+tV8yXBd0qy1559o2r uJjRrI9vFPwQO7CE9qzStfzzNUOBZ06S9IsXv5zGRyjQYpiDdyHX6f7/XPdO+hMQ+0ct CRnkUV9BMzPnd/6PDFYbP2HUpdnk3ho8A9mKxgra3hKsVxl62sdJEN6N4PvC1HaKkXv7 m/fw== X-Forwarded-Encrypted: i=1; AFNElJ9DkXgR1DN3WpMW4oxoqW0iIM1dBtwxaCl2aRjx2iv6WBy/39OxCR157e9pu37KRP9/ZqUrXef+FRzarKI=@vger.kernel.org X-Gm-Message-State: AOJu0Yyb8iFNTxH7Gyep5t2LfUbGqQtHFOXVi8tgTpTW3d6XvlLAczw9 K3lVTqG64JBmuF9Iamj8U3IaSMZass3b/RSkLbQyWcVt4HZ9gkZoSiul X-Gm-Gg: AeBDieu0zNGhwDwi2ylH6ujWr9xfrbd1wTmRJB62+ETHwX5FyxB//zFeBY2sZ/1nSgo fAqGmOzfxsprEGE14LYlCn5WpJSpsZgkvuKTMOZPG0dl4Eg4JbZ9bs5j6ug68xbHPayEH0dbT9k 38EUbPc1JyE3M25rZowQHbcv5v1Ux2H4miB8VPBVStXIqDYZv47qEa1JNQ+6RkQJyVSk4LEaVW9 GRvoi8axGLfwjBTxdryBN7QKMYqFJt0bcpWwYv3MHJBmG34H134ysyYuxCwwIbiW+s5/LkG/gEa qNWvZ5W78eZu4VX1CPVw3JxlDweM7UYCRRBcgFvdePMLWLOnN49cIBS17N3P0r+WV/EM3t1UgTn O7U59/wFOOo/RjhM+lMIkVvDJe8Mx6u3HkO89U0mxtu3OPGtrvOjKMNAIb4iDYMl6c6FJaeMTPq QzrZ7KnDJZwWw1aujCud2gXBJNZbREDQnq5Ma3oGixqc0Ukx3hwyY1 X-Received: by 2002:a05:6122:65a1:b0:56c:d1b0:3626 with SMTP id 71dfb90a1353d-56f3bd1af66mr12017282e0c.15.1776279360273; Wed, 15 Apr 2026 11:56:00 -0700 (PDT) Received: from localhost.localdomain ([102.244.98.233]) by smtp.gmail.com with ESMTPSA id 71dfb90a1353d-56f89feb56esm1647484e0c.15.2026.04.15.11.55.55 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Wed, 15 Apr 2026 11:55:59 -0700 (PDT) From: Delene Tchio Romuald To: gregkh@linuxfoundation.org Cc: dan.carpenter@linaro.org, error27@gmail.com, luka.gejak@linux.dev, hansg@kernel.org, linux-staging@lists.linux.dev, linux-kernel@vger.kernel.org, stable@vger.kernel.org, Delene Tchio Romuald Subject: [PATCH v4 5/5] staging: rtl8723bs: fix negative length in WEP decryption Date: Wed, 15 Apr 2026 19:55:01 +0100 Message-ID: <20260415185501.440492-6-delenetchior1@gmail.com> X-Mailer: git-send-email 2.43.0 In-Reply-To: <20260415185501.440492-1-delenetchior1@gmail.com> References: <20260415185501.440492-1-delenetchior1@gmail.com> Precedence: bulk X-Mailing-List: linux-kernel@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 Content-Transfer-Encoding: quoted-printable Content-Type: text/plain; charset="utf-8" In rtw_wep_decrypt(), the payload length is computed as: length =3D frame->len - prxattrib->hdrlen - prxattrib->iv_len; All operands are unsigned. If the frame is shorter than the sum of the header length and the IV length, this subtraction wraps around and length becomes a huge unsigned value. That value is then used to drive an arc4_crypt() call that reads and writes past the end of the receive buffer. An attacker within WiFi radio range can exploit this by sending a crafted short WEP-encrypted frame. No authentication is required. Validate that the frame is large enough to contain a WEP payload before computing length. Found by reviewing length arithmetic in the WEP decrypt path. Not tested on hardware. Fixes: 554c0a3abf216 ("staging: Add rtl8723bs sdio wifi driver") Cc: stable@vger.kernel.org Reviewed-by: Luka Gejak Signed-off-by: Delene Tchio Romuald --- v4: add Fixes: tag and Cc: stable (Dan Carpenter); carry Luka Gejak's Reviewed-by. v3: rebased on staging-next; sent as numbered series with proper Cc from get_maintainer.pl. v2: rebased on staging-next (v1 was based on v7.0-rc6 and did not apply). drivers/staging/rtl8723bs/core/rtw_security.c | 6 ++++++ 1 file changed, 6 insertions(+) diff --git a/drivers/staging/rtl8723bs/core/rtw_security.c b/drivers/stagin= g/rtl8723bs/core/rtw_security.c index a00504ff29109..f3bc2240749a4 100644 --- a/drivers/staging/rtl8723bs/core/rtw_security.c +++ b/drivers/staging/rtl8723bs/core/rtw_security.c @@ -113,6 +113,12 @@ void rtw_wep_decrypt(struct adapter *padapter, u8 *pr= ecvframe) memcpy(&wepkey[0], iv, 3); /* memcpy(&wepkey[3], &psecuritypriv->dot11DefKey[psecuritypriv->dot11Pr= ivacyKeyIndex].skey[0], keylength); */ memcpy(&wepkey[3], &psecuritypriv->dot11DefKey[keyindex].skey[0], keylen= gth); + + /* Ensure the frame is long enough for WEP decryption */ + if (((union recv_frame *)precvframe)->u.hdr.len <=3D + prxattrib->hdrlen + prxattrib->iv_len) + return; + length =3D ((union recv_frame *)precvframe)->u.hdr.len - prxattrib->hdrl= en - prxattrib->iv_len; =20 payload =3D pframe + prxattrib->iv_len + prxattrib->hdrlen; --=20 2.43.0