From nobody Tue Jun 16 06:25:07 2026
Received: from mail-vk1-f178.google.com (mail-vk1-f178.google.com
 [209.85.221.178])
	(using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits))
	(No client certificate requested)
	by smtp.subspace.kernel.org (Postfix) with ESMTPS id 61EE634FF45
	for <linux-kernel@vger.kernel.org>; Fri, 17 Apr 2026 03:02:50 +0000 (UTC)
Authentication-Results: smtp.subspace.kernel.org;
 arc=none smtp.client-ip=209.85.221.178
ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116;
	t=1776394972; cv=none;
 b=I1Evkv2xs0CmEvv+DzpC0HtEXsbjj2IY/3+65mmVggnrp63oXteItlt1xTxMWHO2P4L2XohmnBUsomHTHSBm2HZHrSpiis5oQmM+ieKq7f5GSQ/ptQFitYU3+bfge4nb2az75ZenKvKxJeFHys3mRVT8tovs6AkYZWdTVcZxtaI=
ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org;
	s=arc-20240116; t=1776394972; c=relaxed/simple;
	bh=1RX4ZJXRy1W+znU6njTURTqBy+hEg0UjYtH5Zu8szko=;
	h=From:To:Cc:Subject:Date:Message-ID:In-Reply-To:References:
	 MIME-Version;
 b=nYsVO4q+L4EtzaF9DkyFi5jUoZhcyUiV1DeRrgySCbNxAGtPwmy3W3OizceUmbE5huwk+aMFmjGVbTo6r6yyLSrLa+hG9oBZaAPmadPQt5bHk1/C0kPTG3F9eOBeFzZzaK8ChcHmQMSsmAJjkqqbgY2MVsrA/YxrLApmS1G6j5w=
ARC-Authentication-Results: i=1; smtp.subspace.kernel.org;
 dmarc=pass (p=none dis=none) header.from=gmail.com;
 spf=pass smtp.mailfrom=gmail.com;
 dkim=pass (2048-bit key) header.d=gmail.com header.i=@gmail.com
 header.b=llnGPklT; arc=none smtp.client-ip=209.85.221.178
Authentication-Results: smtp.subspace.kernel.org;
 dmarc=pass (p=none dis=none) header.from=gmail.com
Authentication-Results: smtp.subspace.kernel.org;
 spf=pass smtp.mailfrom=gmail.com
Authentication-Results: smtp.subspace.kernel.org;
	dkim=pass (2048-bit key) header.d=gmail.com header.i=@gmail.com
 header.b="llnGPklT"
Received: by mail-vk1-f178.google.com with SMTP id
 71dfb90a1353d-5637886c92aso83223e0c.0
        for <linux-kernel@vger.kernel.org>;
 Thu, 16 Apr 2026 20:02:50 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=gmail.com; s=20251104; t=1776394969; x=1776999769;
 darn=vger.kernel.org;
        h=content-transfer-encoding:mime-version:references:in-reply-to
         :message-id:date:subject:cc:to:from:from:to:cc:subject:date
         :message-id:reply-to;
        bh=7n8KTIeckYp5KCeaWdljqxwsv5Ka32yuZHpdOtik6UI=;
        b=llnGPklT3CAzVUl8rtmYVJvrQFHMSrvU5yFCi3QO/BesIsDkXIibl23CsUEz+gv1pJ
         /XYhSHqw7RcQN3my32wl6BDvi2ErcnAHFLFHNIFZNP5IUMaaOVaCzk+HPUkyk0osIAJk
         X1/bRarc+sSaBSSJ++ySV2qftlQPa0xS9wWDpMrWzGt+7zYGioF2R6xN5GQzdj16iqjg
         +j+YEQT/BkqyxxDMuBmHeEeRc0lxm6cJRW5PG7aqQ+JNZSdhfaDGmf6DVpPeo8/oC8+w
         6JhlPCgI5XS72oQTJXA/D4WDFB77+CJcxbgTld5R6hxFckFjA2Au0tOMrylnJs6CZSfm
         CzyQ==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=1e100.net; s=20251104; t=1776394969; x=1776999769;
        h=content-transfer-encoding:mime-version:references:in-reply-to
         :message-id:date:subject:cc:to:from:x-gm-gg:x-gm-message-state:from
         :to:cc:subject:date:message-id:reply-to;
        bh=7n8KTIeckYp5KCeaWdljqxwsv5Ka32yuZHpdOtik6UI=;
        b=r3Ve2eXcOAt2HNJtnlkXL4++38SLcwZaAf5TqBxrpgvrK+LqsNKIpcwQ/ovIMvLmNs
         wK+UVuW8k0Vql8ujmcmCLm3irLxKGu6gw6kPd/GAMqw3TJ1enXQAOzmz2hGFXptzPq9i
         79I1KXiP9Q5jWwhT2G7pQlB6nlHXg11GNetsqbxur0JoZicoj/Kz/bGGP24I+RYnCn/p
         boz78WwZgyRKbsTSsZA3Y5BGgsVdKcrXH0evAK2Kw+qHg8SegweVCJdMdwu5RVh1UY3/
         E76I2IwEO5Hor9fmdR8itLRQI/kX7NlD6cxxVL+UNkz3ux4aXox3uyfjRvzacFtQi6i8
         kHzw==
X-Forwarded-Encrypted: i=1;
 AFNElJ/ufdFb+ZM9SpReYI8E0tVPmWWdyvk1yjAaBorkKaw+81Nuhr52ryUAFoC8EY7XQX+lS80iYXHjYFFI7NE=@vger.kernel.org
X-Gm-Message-State: AOJu0YxztQYUf6ByH+VQGJO1gnPVBDELDLwvYcqy9HBhl4mBEQtYvQmZ
	9KuWkH/zS043w67iaBX2N1hZYIVVEcL6ICtMlHEnB4VSqZhrvVfnK56X
X-Gm-Gg: AeBDievYbFFs0wqTgLH8j+QekEzgY75E+K50sCFem/UrLxmugHwhw5pad+qk8dbVfC8
	DD0e3y2iqPgFQH9trErB4uIqREcMPeoFjUWmJFoHALM1rhtb3FCp6cyIwgeIezvhscSym5Ia6cZ
	6UIe8f95oTwJ7J7lyiT26ssGaMDQUoxL71lvMfkFWhipS5o4YfUNJMPoaL3WOO2w6bVdaMfCAUB
	K+uU0khxT/Ik9LPQZ/+h83virxLCZUIc2hZYKpFhjNp3E4KL8Zjctglx5+NeVffwTEGKZ8YFKc2
	Nk5zwL0seovJZ5AH/hvMx/YbbJH4iQEtRX0/KF6SvXKBpPMkr4f2kU/g051OtnmmpI7YirKdUmV
	mpEV+Kj/OYmdsS/6zVuMRX27ura41IunHvl2Rtle2Gj98nAYKLD0WFDEsaiUxnsnpbIIi1USTkm
	nMBmsxLdSn9zBasBRagsna5VwZyapWtmCF7BFpVAIo4G65nBYDM4m9
X-Received: by 2002:a05:6122:d25:b0:56f:6d27:cadc with SMTP id
 71dfb90a1353d-56fa589b2f6mr601517e0c.7.1776394969182;
        Thu, 16 Apr 2026 20:02:49 -0700 (PDT)
Received: from localhost.localdomain ([102.244.98.124])
        by smtp.gmail.com with ESMTPSA id
 71dfb90a1353d-56fa93275f4sm131275e0c.13.2026.04.16.20.02.45
        (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256);
        Thu, 16 Apr 2026 20:02:48 -0700 (PDT)
From: Delene Tchio Romuald <delenetchior1@gmail.com>
To: gregkh@linuxfoundation.org
Cc: error27@gmail.com,
	luka.gejak@linux.dev,
	hansg@kernel.org,
	linux-staging@lists.linux.dev,
	linux-kernel@vger.kernel.org,
	stable@vger.kernel.org,
	Delene Tchio Romuald <delenetchior1@gmail.com>
Subject: [PATCH v5 1/5] staging: rtl8723bs: fix heap buffer overflow in
 recvframe_defrag()
Date: Fri, 17 Apr 2026 04:01:06 +0100
Message-ID: <20260417030110.42991-2-delenetchior1@gmail.com>
X-Mailer: git-send-email 2.43.0
In-Reply-To: <20260417030110.42991-1-delenetchior1@gmail.com>
References: <20260417030110.42991-1-delenetchior1@gmail.com>
Precedence: bulk
X-Mailing-List: linux-kernel@vger.kernel.org
List-Id: <linux-kernel.vger.kernel.org>
List-Subscribe: <mailto:linux-kernel+subscribe@vger.kernel.org>
List-Unsubscribe: <mailto:linux-kernel+unsubscribe@vger.kernel.org>
MIME-Version: 1.0
Content-Transfer-Encoding: quoted-printable
Content-Type: text/plain; charset="utf-8"

In recvframe_defrag(), a memcpy() copies fragment data into the
reassembly buffer before validating that the buffer has sufficient
space. If the total reassembled payload exceeds the receive buffer
capacity, this results in a heap buffer overflow.

Additionally, the return values of recvframe_pull() and
recvframe_pull_tail() were ignored. On failure those helpers revert
their pointer updates and return NULL; continuing past such a
failure would leave pfhdr->rx_tail at its pre-strip value, so the
subsequent bounds check against rx_end - rx_tail would operate on
stale pointers.

An attacker within WiFi radio range can exploit this by sending
crafted 802.11 fragmented frames. No authentication is required.

Check the return values of recvframe_pull() and recvframe_pull_tail(),
then verify that the fragment payload fits within the remaining
buffer space before the memcpy(). Consolidate the five cleanup
paths through a single out_err label.

Found by reviewing memory operations in the driver and tracing
buffer pointer manipulation through rtw_recv.h inline helpers.
Not tested on hardware.

Fixes: 554c0a3abf216 ("staging: Add rtl8723bs sdio wifi driver")
Cc: stable@vger.kernel.org
Signed-off-by: Delene Tchio Romuald <delenetchior1@gmail.com>
---
v5: collapse the five identical cleanup sites into a single
    out_err label (Dan Carpenter).
v4: check return values of recvframe_pull() and
    recvframe_pull_tail(); drop unnecessary (uint) cast; add
    Fixes: tag and Cc: stable (Dan Carpenter).
v3: rebased on staging-next; sent as numbered series with
    proper Cc from get_maintainer.pl.
v2: rebased on staging-next (v1 was based on v7.0-rc6 and did
    not apply).

 drivers/staging/rtl8723bs/core/rtw_recv.c | 37 ++++++++++++-----------
 1 file changed, 19 insertions(+), 18 deletions(-)

diff --git a/drivers/staging/rtl8723bs/core/rtw_recv.c b/drivers/staging/rt=
l8723bs/core/rtw_recv.c
index f78194d508dfc..52d029c28ab1f 100644
--- a/drivers/staging/rtl8723bs/core/rtw_recv.c
+++ b/drivers/staging/rtl8723bs/core/rtw_recv.c
@@ -1090,14 +1090,9 @@ static union recv_frame *recvframe_defrag(struct ada=
pter *adapter,
 	pfhdr =3D &prframe->u.hdr;
 	list_del_init(&(prframe->u.list));
=20
-	if (curfragnum !=3D pfhdr->attrib.frag_num) {
-		/* the first fragment number must be 0 */
-		/* free the whole queue */
-		rtw_free_recvframe(prframe, pfree_recv_queue);
-		rtw_free_recvframe_queue(defrag_q, pfree_recv_queue);
-
-		return NULL;
-	}
+	/* the first fragment number must be 0 */
+	if (curfragnum !=3D pfhdr->attrib.frag_num)
+		goto out_err;
=20
 	curfragnum++;
=20
@@ -1112,13 +1107,9 @@ static union recv_frame *recvframe_defrag(struct ada=
pter *adapter,
=20
 		/* check the fragment sequence  (2nd ~n fragment frame) */
=20
-		if (curfragnum !=3D pnfhdr->attrib.frag_num) {
-			/* the fragment number must be increasing  (after decache) */
-			/* release the defrag_q & prframe */
-			rtw_free_recvframe(prframe, pfree_recv_queue);
-			rtw_free_recvframe_queue(defrag_q, pfree_recv_queue);
-			return NULL;
-		}
+		/* the fragment number must be increasing  (after decache) */
+		if (curfragnum !=3D pnfhdr->attrib.frag_num)
+			goto out_err;
=20
 		curfragnum++;
=20
@@ -1127,12 +1118,17 @@ static union recv_frame *recvframe_defrag(struct ad=
apter *adapter,
=20
 		wlanhdr_offset =3D pnfhdr->attrib.hdrlen + pnfhdr->attrib.iv_len;
=20
-		recvframe_pull(pnextrframe, wlanhdr_offset);
+		if (!recvframe_pull(pnextrframe, wlanhdr_offset))
+			goto out_err;
=20
 		/* append  to first fragment frame's tail (if privacy frame, pull the IC=
V) */
-		recvframe_pull_tail(prframe, pfhdr->attrib.icv_len);
+		if (!recvframe_pull_tail(prframe, pfhdr->attrib.icv_len))
+			goto out_err;
+
+		/* Verify the receiving buffer has enough space for the fragment */
+		if (pnfhdr->len > pfhdr->rx_end - pfhdr->rx_tail)
+			goto out_err;
=20
-		/* memcpy */
 		memcpy(pfhdr->rx_tail, pnfhdr->rx_data, pnfhdr->len);
=20
 		recvframe_put(prframe, pnfhdr->len);
@@ -1146,6 +1142,11 @@ static union recv_frame *recvframe_defrag(struct ada=
pter *adapter,
 	rtw_free_recvframe_queue(defrag_q, pfree_recv_queue);
=20
 	return prframe;
+
+out_err:
+	rtw_free_recvframe(prframe, pfree_recv_queue);
+	rtw_free_recvframe_queue(defrag_q, pfree_recv_queue);
+	return NULL;
 }
=20
 /* check if need to defrag, if needed queue the frame to defrag_q */
--=20
2.43.0
From nobody Tue Jun 16 06:25:07 2026
Received: from mail-vk1-f180.google.com (mail-vk1-f180.google.com
 [209.85.221.180])
	(using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits))
	(No client certificate requested)
	by smtp.subspace.kernel.org (Postfix) with ESMTPS id 63EE034F48F
	for <linux-kernel@vger.kernel.org>; Fri, 17 Apr 2026 03:02:54 +0000 (UTC)
Authentication-Results: smtp.subspace.kernel.org;
 arc=none smtp.client-ip=209.85.221.180
ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116;
	t=1776394978; cv=none;
 b=U2OwAIwfWFBe2ixW9pQuRmveAebtrcai0r6YA/8HPVwiSPEpwE+qriznYbNE0u+qsDWry4ZZ7qkF2SgzKjNRjMA4PzROaw5V1fFm/FC7YdEZjn0HrSET+RnAnZXpb/MD+CxE0C+ojewU769Ex2XsaXGppjuRYJzAqY9Ed9+D5vk=
ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org;
	s=arc-20240116; t=1776394978; c=relaxed/simple;
	bh=gjYu/2ofJyGBRiCJbFCjes1+fHC4+IquDZRUtme0YS0=;
	h=From:To:Cc:Subject:Date:Message-ID:In-Reply-To:References:
	 MIME-Version;
 b=IRpTbPNm6cJ1Tss/soUQd0TQkYSJSkHi6+g6NrZ/X0J5bQIeAg2z8IhpdbPbqY642sWmha09oSsJisFfiHR0jGEH2yGG0MZspap7GWwdYSTpGDk9YlEyMJ49iK6Zh1R3pVt6bfTYtX27sA8RhhpptOH+oDf8sySn0EtGJtaPTUA=
ARC-Authentication-Results: i=1; smtp.subspace.kernel.org;
 dmarc=pass (p=none dis=none) header.from=gmail.com;
 spf=pass smtp.mailfrom=gmail.com;
 dkim=pass (2048-bit key) header.d=gmail.com header.i=@gmail.com
 header.b=jfqtDTu4; arc=none smtp.client-ip=209.85.221.180
Authentication-Results: smtp.subspace.kernel.org;
 dmarc=pass (p=none dis=none) header.from=gmail.com
Authentication-Results: smtp.subspace.kernel.org;
 spf=pass smtp.mailfrom=gmail.com
Authentication-Results: smtp.subspace.kernel.org;
	dkim=pass (2048-bit key) header.d=gmail.com header.i=@gmail.com
 header.b="jfqtDTu4"
Received: by mail-vk1-f180.google.com with SMTP id
 71dfb90a1353d-56a857578a8so68481e0c.3
        for <linux-kernel@vger.kernel.org>;
 Thu, 16 Apr 2026 20:02:54 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=gmail.com; s=20251104; t=1776394973; x=1776999773;
 darn=vger.kernel.org;
        h=content-transfer-encoding:mime-version:references:in-reply-to
         :message-id:date:subject:cc:to:from:from:to:cc:subject:date
         :message-id:reply-to;
        bh=SXJlWBy5EhJS9h5WNvEWvOfpNAQjbgOfXUdi7AOiHOE=;
        b=jfqtDTu4eBEd1CIiNEncQU8DYAEfcsgTFvDd/GhgUTppLin7OoVHF9AQ/UIxl1yox/
         HeFx+X8XCzJKfVhG7G0/dZ7XJL4k/wGE/173APn1u/ko8W/PTk96K/BA+Onfo8X821JS
         4eSYdfUHk2sGuuZuy0rdQLeGg+Qda4C4ijYY+6aL2dLybOZ1niSdfHVMNORxtvsZE7tO
         1w367lD5pPbcqW4L75e1WYed8vtMC7P7xWeUkXwsimNeAaI6MKHjnb8TxAQjhBvZR3/2
         gqzy9ln5w+yKPU32Pg/u6iwQMAzrWW3IJnuJaGh5WARAS8wshyKT5GXI+xqVnF38BP8g
         K22A==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=1e100.net; s=20251104; t=1776394973; x=1776999773;
        h=content-transfer-encoding:mime-version:references:in-reply-to
         :message-id:date:subject:cc:to:from:x-gm-gg:x-gm-message-state:from
         :to:cc:subject:date:message-id:reply-to;
        bh=SXJlWBy5EhJS9h5WNvEWvOfpNAQjbgOfXUdi7AOiHOE=;
        b=QB31pi6WSWOMRH4WDD7dBfTq4qpzT9JvUA6TBUqgCZGAO+a3rjPN5ckthcpKYFa5Rw
         v9BWMzJqmmRbFeoCo38Cy408ShHcjPwLa0i90/oYmMS8XCzZ89HD8AvSs4O1TXlGgfrn
         HI/Fcxxx+ZXZVG2Wc2BCw/5hL87PCmM8YKzZiaISlQyhTd/UvL9QfSEzekEwOFumbtci
         tABxKEVmw/RZtST0mrkh5Sqag7wWdgo1cMAiLslhc6Cd2Mt5dyI+nVATBC4MObDXWOJK
         YKL/yhQ+2KRk6nfDpTt5RtRU15tZim9CTdNg3cIijuTAHLCq/DTBNp9WX47XO04+Y8vL
         vjKg==
X-Forwarded-Encrypted: i=1;
 AFNElJ838Dn6fjT9V4XwImGLLWXWnz7zOQcqKkUaV6uowZzIA9oYV4hD/y0SmhYWB0mr+4xgGLoOFPNoQfmSFqY=@vger.kernel.org
X-Gm-Message-State: AOJu0YwVD43vfhC/2DllMMv7UYGMXyLFm2eSQX7nN8JUYVRJfihhLNqh
	IDMyugQbYAKxMbdg1uS9xhinz3NmImPueNcC0tWhZO7IHnBOAa51aSkk
X-Gm-Gg: AeBDiet27rJlIrQArfEmyZmLoOZiQiZT74y12o6hAPU3Yy5+ofsLJijtGStJaUvgHY1
	pKYTcrUGhzSuLWNb6M9n0+xlaslDVw0VoYOSSwIUStpLJDzXVANmXwpoBhFrgbxbEEKHmt6KNRi
	xjS3y64+FRE8od6w8gaISc1JPJ1GZcCkuaNvt2aL76sUKuThJ31bGxYYLh33kOSdlKr27nxQFdE
	YYwzLnncddqMmJ8M9Jx6HR2uFx5DrDRAqwlhAuXuQ/3dNo7K8m5nss6jiiWtq3yV8bTnu6jpw1j
	yid8QSV7nSzF7PWYZUjRmZZtJ5tINYvUBDi4QxHiYcL9AZ+SB3seKQ2wRUuc8bsGVZjuBhRz34j
	vGsuFuKEUZqkujY+S8ljbbGipkNMP2fikYTEu9HI6atzFPf5yr0uR4c7L2wEMNnGmXVFvx61438
	h2UAbv9zADhe/GwGxjq8gaUqfNYjPpwGssIrIzrAFTZfw0QHZ4Tjt8
X-Received: by 2002:a05:6123:14b:b0:56a:f576:cfca with SMTP id
 71dfb90a1353d-56fa57d82ccmr569595e0c.2.1776394973122;
        Thu, 16 Apr 2026 20:02:53 -0700 (PDT)
Received: from localhost.localdomain ([102.244.98.124])
        by smtp.gmail.com with ESMTPSA id
 71dfb90a1353d-56fa93275f4sm131275e0c.13.2026.04.16.20.02.49
        (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256);
        Thu, 16 Apr 2026 20:02:52 -0700 (PDT)
From: Delene Tchio Romuald <delenetchior1@gmail.com>
To: gregkh@linuxfoundation.org
Cc: error27@gmail.com,
	luka.gejak@linux.dev,
	hansg@kernel.org,
	linux-staging@lists.linux.dev,
	linux-kernel@vger.kernel.org,
	stable@vger.kernel.org,
	Delene Tchio Romuald <delenetchior1@gmail.com>
Subject: [PATCH v5 2/5] staging: rtl8723bs: fix integer underflow in TKIP MIC
 verification
Date: Fri, 17 Apr 2026 04:01:07 +0100
Message-ID: <20260417030110.42991-3-delenetchior1@gmail.com>
X-Mailer: git-send-email 2.43.0
In-Reply-To: <20260417030110.42991-1-delenetchior1@gmail.com>
References: <20260417030110.42991-1-delenetchior1@gmail.com>
Precedence: bulk
X-Mailing-List: linux-kernel@vger.kernel.org
List-Id: <linux-kernel.vger.kernel.org>
List-Subscribe: <mailto:linux-kernel+subscribe@vger.kernel.org>
List-Unsubscribe: <mailto:linux-kernel+unsubscribe@vger.kernel.org>
MIME-Version: 1.0
Content-Transfer-Encoding: quoted-printable
Content-Type: text/plain; charset="utf-8"

In recvframe_chkmic(), the payload length is computed as:

    datalen =3D precvframe->u.hdr.len - prxattrib->hdrlen
              - prxattrib->iv_len - prxattrib->icv_len - 8;

All operands are unsigned. If the receive frame is shorter than the
sum of the header, IV, ICV and MIC sizes, this subtraction wraps
around and datalen becomes a huge unsigned value. That value is then
passed to rtw_secmicappend(), which reads past the end of the
receive buffer and can leak kernel memory or trigger a crash.

An attacker within WiFi radio range can exploit this by sending a
crafted short TKIP-encrypted frame. No authentication is required.

Validate that the frame is large enough for the TKIP MIC
computation before the subtraction.

Found by reviewing length arithmetic in the TKIP receive path.
Not tested on hardware.

Fixes: 554c0a3abf216 ("staging: Add rtl8723bs sdio wifi driver")
Cc: stable@vger.kernel.org
Reviewed-by: Luka Gejak <luka.gejak@linux.dev>
Signed-off-by: Delene Tchio Romuald <delenetchior1@gmail.com>
---
v5: unchanged; carry Luka Gejak's Reviewed-by.
v4: add Fixes: tag and Cc: stable (Dan Carpenter); carry
    Luka Gejak's Reviewed-by.
v3: rebased on staging-next; sent as numbered series with
    proper Cc from get_maintainer.pl.
v2: rebased on staging-next (v1 was based on v7.0-rc6 and did
    not apply).

 drivers/staging/rtl8723bs/core/rtw_recv.c | 7 +++++++
 1 file changed, 7 insertions(+)

diff --git a/drivers/staging/rtl8723bs/core/rtw_recv.c b/drivers/staging/rt=
l8723bs/core/rtw_recv.c
index 52d029c28ab1f..40884788a30d6 100644
--- a/drivers/staging/rtl8723bs/core/rtw_recv.c
+++ b/drivers/staging/rtl8723bs/core/rtw_recv.c
@@ -390,6 +390,13 @@ static signed int recvframe_chkmic(struct adapter *ada=
pter,  union recv_frame *p
 				mickey =3D &stainfo->dot11tkiprxmickey.skey[0];
 			}
=20
+			/* Ensure the frame is large enough for TKIP MIC verification */
+			if (precvframe->u.hdr.len <=3D prxattrib->hdrlen +
+			    prxattrib->iv_len + prxattrib->icv_len + 8) {
+				res =3D _FAIL;
+				goto exit;
+			}
+
 			datalen =3D precvframe->u.hdr.len - prxattrib->hdrlen - prxattrib->iv_l=
en - prxattrib->icv_len - 8;/* icv_len included the mic code */
 			pframe =3D precvframe->u.hdr.rx_data;
 			payload =3D pframe + prxattrib->hdrlen + prxattrib->iv_len;
--=20
2.43.0
From nobody Tue Jun 16 06:25:07 2026
Received: from mail-vk1-f181.google.com (mail-vk1-f181.google.com
 [209.85.221.181])
	(using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits))
	(No client certificate requested)
	by smtp.subspace.kernel.org (Postfix) with ESMTPS id 3C00B34EF05
	for <linux-kernel@vger.kernel.org>; Fri, 17 Apr 2026 03:02:58 +0000 (UTC)
Authentication-Results: smtp.subspace.kernel.org;
 arc=none smtp.client-ip=209.85.221.181
ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116;
	t=1776394983; cv=none;
 b=Wi1rc7hu1rmohNCPwNqR5iPvccrxCYHh03PBOl+FO8TvlciyvnSgafCllDmiCiE6aEkmL7I4fmMlrToSgiqh5lz3lzq7+0AJieHULXXZtK5pbt9VXPMpsbBAaXPJjkJNLhrDHmdcP7KFxDWhfOqinLikXHZ19cOCItAZUt43B6o=
ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org;
	s=arc-20240116; t=1776394983; c=relaxed/simple;
	bh=f1VpgAuRFjAB6eoW8D6yTIh5CxnI/XQ9GddAe5a7FWk=;
	h=From:To:Cc:Subject:Date:Message-ID:In-Reply-To:References:
	 MIME-Version;
 b=YR8fymYL3he80gwCJOxJFLR6oUkaRHhqlqft2l6xu8tT2cCjZDPlnHYGLjLWAxWuO4hKZdiRJvAUlgIHFtXzOZ+udWUCe1V6Na2XrexnpORo8Z1FzshRpbSwH0Ssxj6ESCUoOpHaJf1HLscAHbfWi7evRuIjifqF6dXdX8A6lZQ=
ARC-Authentication-Results: i=1; smtp.subspace.kernel.org;
 dmarc=pass (p=none dis=none) header.from=gmail.com;
 spf=pass smtp.mailfrom=gmail.com;
 dkim=pass (2048-bit key) header.d=gmail.com header.i=@gmail.com
 header.b=XQPx0SZK; arc=none smtp.client-ip=209.85.221.181
Authentication-Results: smtp.subspace.kernel.org;
 dmarc=pass (p=none dis=none) header.from=gmail.com
Authentication-Results: smtp.subspace.kernel.org;
 spf=pass smtp.mailfrom=gmail.com
Authentication-Results: smtp.subspace.kernel.org;
	dkim=pass (2048-bit key) header.d=gmail.com header.i=@gmail.com
 header.b="XQPx0SZK"
Received: by mail-vk1-f181.google.com with SMTP id
 71dfb90a1353d-56d8a5f0e44so1176938e0c.1
        for <linux-kernel@vger.kernel.org>;
 Thu, 16 Apr 2026 20:02:58 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=gmail.com; s=20251104; t=1776394977; x=1776999777;
 darn=vger.kernel.org;
        h=content-transfer-encoding:mime-version:references:in-reply-to
         :message-id:date:subject:cc:to:from:from:to:cc:subject:date
         :message-id:reply-to;
        bh=+7KTE4O+2+d+2qHtwnX+mTdh1bXJy9Vw8u/PEwC7xVE=;
        b=XQPx0SZK0dU7dwfOkXbfG/w6MxLjjHziFBzOBq5+9zDMo73YENdEUy0qJEIXpuYSuQ
         tUg86kbH2U0wu/xKvnTELdIjT2p4+vR1lO8tJqIYnSrbDc0+GLloRAblrtuf+tYKG9aU
         wOfT5KJiKfoFie66EBH/js0mXvQDM2xEdxUR/JKLTCO2wlnQLo32g59BH1lWJrnh4tCr
         1Binb7spvuI4wuuskRTpXkAQK2fl+Z1AzXeR8HwcD0jGr+Wf2xBW3Njc6zl8MS2GPNtD
         T76i5VQrdyJhK/B7yH3TgzdyAP9HBed5p+fVWXCYinkUgkTShomSerM4Qb0/FBrX+Fla
         SOEQ==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=1e100.net; s=20251104; t=1776394977; x=1776999777;
        h=content-transfer-encoding:mime-version:references:in-reply-to
         :message-id:date:subject:cc:to:from:x-gm-gg:x-gm-message-state:from
         :to:cc:subject:date:message-id:reply-to;
        bh=+7KTE4O+2+d+2qHtwnX+mTdh1bXJy9Vw8u/PEwC7xVE=;
        b=VapsOY3o0tAtmbFY9bNWUr+Od2HiJvtqPH6CL+Vv3wFOkEtqz/A0KsT0E8jT/yaN4d
         uQ2LXR5dV8uF5QxcEdDQprNCxfnDMLWzjJ+BI0PsTh84c5GsN+nCKMebf2jREfDWMOvl
         hXt/pH/fUYDxghbiig4hf08mVyxxBnmwcE41X5VInHHXPN3GMTWt6OnuLk1F+j7Huemr
         ovNLpNTDVzz1HTs7EWZquz7gnmplpirbEwXJm7kufh+pCwDSNLQLBRUqGQl37wlLHSf2
         EVRbItlehNx+2r+/rIec+9E1NSqUw3yIa6531MmeLZD7G0Aoke435LoRdyMGds8eAr10
         SagA==
X-Forwarded-Encrypted: i=1;
 AFNElJ/u3UUB5telbA7qJAAUYV8rejLAycZStBc8254SoAKNAjD/SEGwSsbGG3iXZmZlk7Ldfn7jwb9oQdTBO6M=@vger.kernel.org
X-Gm-Message-State: AOJu0YyKNZsnIIl0OfVLkUvBfei3fV1ynC4MPMcG5jrTeDIZl6aLq7tB
	zkMIUPbgReA3KzyCKIPaxTwW5bbOxUny3Fs5USNHGuYRp3VpzE01BQOi
X-Gm-Gg: AeBDieu61lqA66ngqGFpL7wfTjgMIjgp/RGeQEyeZd4g9330ofYD5vIanq9T/xmw/4z
	zDv46O5zt0pByi4zlkqpIKQCvqg7exwEwBpuHAyMbR7DKE/ViopntTz6DoiroKkHhMfr4PM0SvT
	WlbGTLXS05fdNbXIxdU9JvCZFDjBehVGDR04RGFsuN/OAOjHRDgmr+zlPHruIXhuw8GeiwUUhhZ
	xrX3Nvo3TX0QVUva36quqXY4ZB0VZLE1sY9ZorjA9BMBiTX0Jb/QEmlpGU/7xh9ezBWmB/p5fx8
	MFwKi7AeRH2xODDnf2Ynnapt73JQcj49EZSwL1WSH4Kkalh+vxBXl+MttMGmEPboIK1w5v3Xssr
	CBharu3LsghFadkGCwsVYkErboWCdME1js4XXsFXnVJ0y5yHISQa07CyGiy67pj3/8cqydSWJ/o
	CJE/zheyXmHbudqxYimwU4iK9A2ymlZ2eDYGUT/Asql1dC4ZwodCtS
X-Received: by 2002:a05:6122:168f:b0:559:6788:7b55 with SMTP id
 71dfb90a1353d-56fa6673f07mr350594e0c.3.1776394977018;
        Thu, 16 Apr 2026 20:02:57 -0700 (PDT)
Received: from localhost.localdomain ([102.244.98.124])
        by smtp.gmail.com with ESMTPSA id
 71dfb90a1353d-56fa93275f4sm131275e0c.13.2026.04.16.20.02.53
        (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256);
        Thu, 16 Apr 2026 20:02:56 -0700 (PDT)
From: Delene Tchio Romuald <delenetchior1@gmail.com>
To: gregkh@linuxfoundation.org
Cc: error27@gmail.com,
	luka.gejak@linux.dev,
	hansg@kernel.org,
	linux-staging@lists.linux.dev,
	linux-kernel@vger.kernel.org,
	stable@vger.kernel.org,
	Delene Tchio Romuald <delenetchior1@gmail.com>
Subject: [PATCH v5 3/5] staging: rtl8723bs: fix out-of-bounds read in
 portctrl()
Date: Fri, 17 Apr 2026 04:01:08 +0100
Message-ID: <20260417030110.42991-4-delenetchior1@gmail.com>
X-Mailer: git-send-email 2.43.0
In-Reply-To: <20260417030110.42991-1-delenetchior1@gmail.com>
References: <20260417030110.42991-1-delenetchior1@gmail.com>
Precedence: bulk
X-Mailing-List: linux-kernel@vger.kernel.org
List-Id: <linux-kernel.vger.kernel.org>
List-Subscribe: <mailto:linux-kernel+subscribe@vger.kernel.org>
List-Unsubscribe: <mailto:linux-kernel+unsubscribe@vger.kernel.org>
MIME-Version: 1.0
Content-Transfer-Encoding: quoted-printable
Content-Type: text/plain; charset="utf-8"

In portctrl(), when 802.1X port control is enabled and a non-EAPOL
frame is received, the ether_type is read from the LLC header
without verifying that the frame actually contains enough bytes to
hold the MAC header, IV and the LLC header plus two bytes of
ether_type. For sufficiently short frames, the memcpy() that loads
be_tmp reads past the end of the receive buffer.

An attacker within WiFi radio range can exploit this by sending a
crafted short frame. No authentication is required.

Validate the frame length before dereferencing the LLC header and
return early on short frames and on non-EAPOL frames, rather than
staging the result in prtnframe.

Found by reviewing length validation in the receive path.
Not tested on hardware.

Fixes: 554c0a3abf216 ("staging: Add rtl8723bs sdio wifi driver")
Cc: stable@vger.kernel.org
Signed-off-by: Delene Tchio Romuald <delenetchior1@gmail.com>
---
v5: return NULL directly on the short-frame and non-EAPOL
    error paths instead of staging the result through
    prtnframe (Dan Carpenter).
v4: add Fixes: tag and Cc: stable (Dan Carpenter).
v3: rebased on staging-next; sent as numbered series with
    proper Cc from get_maintainer.pl.
v2: rebased on staging-next (v1 was based on v7.0-rc6 and did
    not apply).

 drivers/staging/rtl8723bs/core/rtw_recv.c | 21 +++++++++++++--------
 1 file changed, 13 insertions(+), 8 deletions(-)

diff --git a/drivers/staging/rtl8723bs/core/rtw_recv.c b/drivers/staging/rt=
l8723bs/core/rtw_recv.c
index 40884788a30d6..b11982fbe7e1f 100644
--- a/drivers/staging/rtl8723bs/core/rtw_recv.c
+++ b/drivers/staging/rtl8723bs/core/rtw_recv.c
@@ -537,20 +537,25 @@ static union recv_frame *portctrl(struct adapter *ada=
pter, union recv_frame *pre
 			/* blocked */
 			/* only accept EAPOL frame */
=20
-			prtnframe =3D precv_frame;
+			/* Ensure frame has LLC header and ether_type */
+			if (pfhdr->len < pattrib->hdrlen +
+			    pattrib->iv_len + LLC_HEADER_LENGTH + 2) {
+				rtw_free_recvframe(precv_frame,
+						   &adapter->recvpriv.free_recv_queue);
+				return NULL;
+			}
=20
 			/* get ether_type */
-			ptr =3D ptr + pfhdr->attrib.hdrlen + pfhdr->attrib.iv_len + LLC_HEADER_=
LENGTH;
+			ptr +=3D pattrib->hdrlen + pattrib->iv_len + LLC_HEADER_LENGTH;
 			memcpy(&be_tmp, ptr, 2);
 			ether_type =3D ntohs(be_tmp);
=20
-			if (ether_type =3D=3D eapol_type)
-				prtnframe =3D precv_frame;
-			else {
-				/* free this frame */
-				rtw_free_recvframe(precv_frame, &adapter->recvpriv.free_recv_queue);
-				prtnframe =3D NULL;
+			if (ether_type !=3D eapol_type) {
+				rtw_free_recvframe(precv_frame,
+						   &adapter->recvpriv.free_recv_queue);
+				return NULL;
 			}
+			prtnframe =3D precv_frame;
 		} else {
 			/* allowed */
 			/* check decryption status, and decrypt the frame if needed */
--=20
2.43.0
From nobody Tue Jun 16 06:25:07 2026
Received: from mail-vk1-f180.google.com (mail-vk1-f180.google.com
 [209.85.221.180])
	(using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits))
	(No client certificate requested)
	by smtp.subspace.kernel.org (Postfix) with ESMTPS id C721634A76B
	for <linux-kernel@vger.kernel.org>; Fri, 17 Apr 2026 03:03:03 +0000 (UTC)
Authentication-Results: smtp.subspace.kernel.org;
 arc=none smtp.client-ip=209.85.221.180
ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116;
	t=1776394987; cv=none;
 b=pG15OTHJsdzDdz0N0svFgL0K6onbQQkI4O3a376Ldi5vft4skr7CtyPZ3jh1a3IShfkkj2FuRVVAe32h1l17HMVx6YWJBt11J6ey/bjvYTi0ZO/IqjrTB5tkFB0wnwZbECIYSWfmvKxGeu9FK+3n1pi8EhBRbASj36ys7oMLJAc=
ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org;
	s=arc-20240116; t=1776394987; c=relaxed/simple;
	bh=tJMT7+DrVL8F21RA6G4NVXKLEUtt++LIxE74yyak3A0=;
	h=From:To:Cc:Subject:Date:Message-ID:In-Reply-To:References:
	 MIME-Version;
 b=eCfSBpuh2Zn3MyP0jHUuJUGG9h1HgTA2QJTsvQffQRJoQTvE8zu5PpsTuCK+hW64FqBDAml4GKkGhs0+7/cZRvu+2NNKrPIoj+cT1XyU83W1FLAFCHiYnThE8NmxYjvXiG34h5fYj7WH2KVeEJLA/fj7ynO1Sfs5/boYSRJn8zk=
ARC-Authentication-Results: i=1; smtp.subspace.kernel.org;
 dmarc=pass (p=none dis=none) header.from=gmail.com;
 spf=pass smtp.mailfrom=gmail.com;
 dkim=pass (2048-bit key) header.d=gmail.com header.i=@gmail.com
 header.b=gl8bgaR1; arc=none smtp.client-ip=209.85.221.180
Authentication-Results: smtp.subspace.kernel.org;
 dmarc=pass (p=none dis=none) header.from=gmail.com
Authentication-Results: smtp.subspace.kernel.org;
 spf=pass smtp.mailfrom=gmail.com
Authentication-Results: smtp.subspace.kernel.org;
	dkim=pass (2048-bit key) header.d=gmail.com header.i=@gmail.com
 header.b="gl8bgaR1"
Received: by mail-vk1-f180.google.com with SMTP id
 71dfb90a1353d-56a8e0ea02aso280649e0c.0
        for <linux-kernel@vger.kernel.org>;
 Thu, 16 Apr 2026 20:03:03 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=gmail.com; s=20251104; t=1776394982; x=1776999782;
 darn=vger.kernel.org;
        h=content-transfer-encoding:mime-version:references:in-reply-to
         :message-id:date:subject:cc:to:from:from:to:cc:subject:date
         :message-id:reply-to;
        bh=QBxmxbvKHEUkAZ0NAG9KhKLPqXshWJk8Q9pRuQVQFJs=;
        b=gl8bgaR1nPVnFxjOjDaZIWXqdpoDyI9UCs6WYwmQusVQEgQFViA647Hsz6C0HfVJA5
         gxmRwrpHTr7pJu9x4UbWHfLhwoGw5hF4Ut/7Mz2cHWGSvwjQYqhe67ty0QwI2rzKYpl1
         7RByk7Yx6bs4Lavg4SBcubCplWtF5NRv4RhcY8074X6waMDvo4G66Ycrzogg4yVONHVu
         u2+h6WZjSoLwDoesbzaOwmo9f3wgHc5glHTqWbSHoevwrOKd+kdhFmusd82BqvgHmCd/
         X2yvdz2fOAX4JpiY/5R4TOTnUEwjT9HoIU/8M8cWQjxc3Zmhi9swemGj39BjqiHPJBtl
         6k8Q==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=1e100.net; s=20251104; t=1776394982; x=1776999782;
        h=content-transfer-encoding:mime-version:references:in-reply-to
         :message-id:date:subject:cc:to:from:x-gm-gg:x-gm-message-state:from
         :to:cc:subject:date:message-id:reply-to;
        bh=QBxmxbvKHEUkAZ0NAG9KhKLPqXshWJk8Q9pRuQVQFJs=;
        b=I4joI0ITHyGjXYxCYzRA4zKCbNGIQ8zc1Ztzyq7Mt/i+advrZ/Xkd/civO618+XzF9
         pgrCcIP/mG6sXfmnh/GX9FIpPT8Dha/F5kjRIwZ8e1iblGN9TYpZlocLmiS1WuGryw5A
         lceZwH9NmLdUw1kaPn6lEMJy4PxYUCo9c7Qdsfw40nQW2s4eXyrTDzNZQFqOi/SBWCkx
         NohkKoVdn1/2Wgq/igcA6Xd+NptYTqdOr4eyClDtDqwR0Ukv+oLT0YFTsAfO8ECUR2B0
         uap7rFoIajmzU6u5znKPUZAUa9AalRONOIER2kPYO+Uim1pkc+XHiIaRq86OtzROUyzu
         NCHw==
X-Forwarded-Encrypted: i=1;
 AFNElJ99KKu/Djg0WqUa0cTBL8A1xOZAhstze2pyPtf3bQp4cd4/YPet3gmFkuqdjwhD1bevIZShsdVuc7Ox5Hg=@vger.kernel.org
X-Gm-Message-State: AOJu0Yy0lN1APPa+nso+C0F3yt+SfY9+xQgvTMBTJQTLvbETULCv7BHX
	akJN7WckylkwSviEZKJaYa56EDAhrs62XSG7EZ3m7wFHECmfBiGOUhZM
X-Gm-Gg: AeBDiesSEfzgBlAHY9eQoI0Qq3WiKTyJxioloHzRcfznxU1WnLh0R3b/j+yLcS4uuBN
	6sTTFB+kl2DSBS8ZbglrDIWNMFb1EU7/UGTbXlhva3OzjI3NhciDY+qiNywBjB/l62F6Vl3Bsw0
	3kwvxQCadmIwftIARj6Xe+HS9lnQ36pydLOKx+FRVpyxmyNlQwpN/coObl3gth8/uNQYlmwKnQc
	+XdihYP5OBVoe0VSts5vvGi0n5ElvNgLIHNXHisGbI4M8q86uLzdRjhzMx4fM0yo5SS1F8BjU9p
	Hmp0smMkpg8Wuxcyt9icpTHzrgsIJmJSM/O5+PFUKq64i1onAjzwzpO39x8sPvMRIF6zWodvle6
	0ehJO94XZmXk8Z5nv3s/9rAKnyDTP7eEwerf0kDbb9F+CRTIf6PYuVfQS9o+prIz5A4+IbE/oll
	kz+aFI7DjSyH/iqPLt4BcX13oJggCtdW6dKKgSOKosD5jPNqH6zDT2
X-Received: by 2002:a05:6122:c95:b0:56d:aa1f:e48a with SMTP id
 71dfb90a1353d-56fa5a24eb7mr580372e0c.12.1776394982645;
        Thu, 16 Apr 2026 20:03:02 -0700 (PDT)
Received: from localhost.localdomain ([102.244.98.124])
        by smtp.gmail.com with ESMTPSA id
 71dfb90a1353d-56fa93275f4sm131275e0c.13.2026.04.16.20.02.58
        (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256);
        Thu, 16 Apr 2026 20:03:01 -0700 (PDT)
From: Delene Tchio Romuald <delenetchior1@gmail.com>
To: gregkh@linuxfoundation.org
Cc: error27@gmail.com,
	luka.gejak@linux.dev,
	hansg@kernel.org,
	linux-staging@lists.linux.dev,
	linux-kernel@vger.kernel.org,
	stable@vger.kernel.org,
	Delene Tchio Romuald <delenetchior1@gmail.com>
Subject: [PATCH v5 4/5] staging: rtl8723bs: fix out-of-bounds reads in IE
 parsing functions
Date: Fri, 17 Apr 2026 04:01:09 +0100
Message-ID: <20260417030110.42991-5-delenetchior1@gmail.com>
X-Mailer: git-send-email 2.43.0
In-Reply-To: <20260417030110.42991-1-delenetchior1@gmail.com>
References: <20260417030110.42991-1-delenetchior1@gmail.com>
Precedence: bulk
X-Mailing-List: linux-kernel@vger.kernel.org
List-Id: <linux-kernel.vger.kernel.org>
List-Subscribe: <mailto:linux-kernel+subscribe@vger.kernel.org>
List-Unsubscribe: <mailto:linux-kernel+unsubscribe@vger.kernel.org>
MIME-Version: 1.0
Content-Transfer-Encoding: quoted-printable
Content-Type: text/plain; charset="utf-8"

rtw_get_wapi_ie(), rtw_get_sec_ie() and rtw_get_wps_ie() walk a
buffer of Information Elements using the TLV length field without
first verifying that the length byte itself is inside the buffer,
and without verifying that the specific bytes dereferenced by the
subsequent memcmp() calls fit inside the declared element.

An attacker within WiFi radio range can exploit this by sending
crafted beacon or probe-response frames carrying truncated or
oversized IEs. No authentication is required.

Ensure the length byte is inside the buffer (cnt + 1 < in_len),
break out of the loop if the declared element length would read
past in_len, and before each memcmp() verify that the offsets it
touches are inside the buffer: cnt + 10 for the WAPI OUI compared
at offset 6, and cnt + 6 for the WPA/WPS OUIs compared at offset 2.

Found by reviewing bounds checks in IE walkers.
Not tested on hardware.

Fixes: 554c0a3abf216 ("staging: Add rtl8723bs sdio wifi driver")
Cc: stable@vger.kernel.org
Signed-off-by: Delene Tchio Romuald <delenetchior1@gmail.com>
---
v5: add an inner bound check before each memcmp() so that the
    OUI read at offset 6 (WAPI) or offset 2 (WPA/WPS) stays
    inside the declared element (Dan Carpenter).
v4: add Fixes: tag and Cc: stable (Dan Carpenter).
v3: rebased on staging-next; sent as numbered series with
    proper Cc from get_maintainer.pl.
v2: rebased on staging-next (v1 was based on v7.0-rc6 and did
    not apply).

 .../staging/rtl8723bs/core/rtw_ieee80211.c    | 70 +++++++++++++------
 1 file changed, 47 insertions(+), 23 deletions(-)

diff --git a/drivers/staging/rtl8723bs/core/rtw_ieee80211.c b/drivers/stagi=
ng/rtl8723bs/core/rtw_ieee80211.c
index 72b7f731dd471..1b61879acb48e 100644
--- a/drivers/staging/rtl8723bs/core/rtw_ieee80211.c
+++ b/drivers/staging/rtl8723bs/core/rtw_ieee80211.c
@@ -582,18 +582,25 @@ int rtw_get_wapi_ie(u8 *in_ie, uint in_len, u8 *wapi_=
ie, u16 *wapi_len)
=20
 	cnt =3D (_TIMESTAMP_ + _BEACON_ITERVAL_ + _CAPABILITY_);
=20
-	while (cnt < in_len) {
+	while (cnt + 1 < in_len) {
 		authmode =3D in_ie[cnt];
=20
-		if (authmode =3D=3D WLAN_EID_BSS_AC_ACCESS_DELAY &&
-		    (!memcmp(&in_ie[cnt + 6], wapi_oui1, 4) ||
-		     !memcmp(&in_ie[cnt + 6], wapi_oui2, 4))) {
-			if (wapi_ie)
-				memcpy(wapi_ie, &in_ie[cnt], in_ie[cnt + 1] + 2);
+		if (cnt + 2 + in_ie[cnt + 1] > in_len)
+			break;
+
+		if (authmode =3D=3D WLAN_EID_BSS_AC_ACCESS_DELAY) {
+			if (cnt + 10 > in_len)
+				break;
=20
-			if (wapi_len)
-				*wapi_len =3D in_ie[cnt + 1] + 2;
+			if (!memcmp(&in_ie[cnt + 6], wapi_oui1, 4) ||
+			    !memcmp(&in_ie[cnt + 6], wapi_oui2, 4)) {
+				if (wapi_ie)
+					memcpy(wapi_ie, &in_ie[cnt],
+					       in_ie[cnt + 1] + 2);
=20
+				if (wapi_len)
+					*wapi_len =3D in_ie[cnt + 1] + 2;
+			}
 		}
=20
 		cnt +=3D in_ie[cnt + 1] + 2;   /* get next */
@@ -615,15 +622,23 @@ void rtw_get_sec_ie(u8 *in_ie, uint in_len, u8 *rsn_i=
e, u16 *rsn_len, u8 *wpa_ie
=20
 	cnt =3D (_TIMESTAMP_ + _BEACON_ITERVAL_ + _CAPABILITY_);
=20
-	while (cnt < in_len) {
+	while (cnt + 1 < in_len) {
 		authmode =3D in_ie[cnt];
=20
-		if ((authmode =3D=3D WLAN_EID_VENDOR_SPECIFIC) &&
-		    (!memcmp(&in_ie[cnt + 2], &wpa_oui[0], 4))) {
-			if (wpa_ie)
-				memcpy(wpa_ie, &in_ie[cnt], in_ie[cnt + 1] + 2);
+		if (cnt + 2 + in_ie[cnt + 1] > in_len)
+			break;
+
+		if (authmode =3D=3D WLAN_EID_VENDOR_SPECIFIC) {
+			if (cnt + 6 > in_len)
+				break;
+
+			if (!memcmp(&in_ie[cnt + 2], &wpa_oui[0], 4)) {
+				if (wpa_ie)
+					memcpy(wpa_ie, &in_ie[cnt],
+					       in_ie[cnt + 1] + 2);
=20
-			*wpa_len =3D in_ie[cnt + 1] + 2;
+				*wpa_len =3D in_ie[cnt + 1] + 2;
+			}
 		} else if (authmode =3D=3D WLAN_EID_RSN) {
 			if (rsn_ie)
 				memcpy(rsn_ie, &in_ie[cnt], in_ie[cnt + 1] + 2);
@@ -658,21 +673,30 @@ u8 *rtw_get_wps_ie(u8 *in_ie, uint in_len, u8 *wps_ie=
, uint *wps_ielen)
=20
 	cnt =3D 0;
=20
-	while (cnt < in_len) {
+	while (cnt + 1 < in_len) {
 		eid =3D in_ie[cnt];
=20
-		if ((eid =3D=3D WLAN_EID_VENDOR_SPECIFIC) && (!memcmp(&in_ie[cnt + 2], w=
ps_oui, 4))) {
-			wpsie_ptr =3D &in_ie[cnt];
+		if (cnt + 2 + in_ie[cnt + 1] > in_len)
+			break;
=20
-			if (wps_ie)
-				memcpy(wps_ie, &in_ie[cnt], in_ie[cnt + 1] + 2);
+		if (eid =3D=3D WLAN_EID_VENDOR_SPECIFIC) {
+			if (cnt + 6 > in_len)
+				break;
=20
-			if (wps_ielen)
-				*wps_ielen =3D in_ie[cnt + 1] + 2;
+			if (!memcmp(&in_ie[cnt + 2], wps_oui, 4)) {
+				wpsie_ptr =3D &in_ie[cnt];
=20
-			cnt +=3D in_ie[cnt + 1] + 2;
+				if (wps_ie)
+					memcpy(wps_ie, &in_ie[cnt],
+					       in_ie[cnt + 1] + 2);
=20
-			break;
+				if (wps_ielen)
+					*wps_ielen =3D in_ie[cnt + 1] + 2;
+
+				cnt +=3D in_ie[cnt + 1] + 2;
+
+				break;
+			}
 		}
 		cnt +=3D in_ie[cnt + 1] + 2; /* goto next */
 	}
--=20
2.43.0
From nobody Tue Jun 16 06:25:07 2026
Received: from mail-vk1-f177.google.com (mail-vk1-f177.google.com
 [209.85.221.177])
	(using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits))
	(No client certificate requested)
	by smtp.subspace.kernel.org (Postfix) with ESMTPS id 7471634F48F
	for <linux-kernel@vger.kernel.org>; Fri, 17 Apr 2026 03:03:08 +0000 (UTC)
Authentication-Results: smtp.subspace.kernel.org;
 arc=none smtp.client-ip=209.85.221.177
ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116;
	t=1776394991; cv=none;
 b=H+TXEY0VOMwXhLC2gk27tiD0Hy+M7uQhKyQ/n0dItpt8tpxoWXkS0M39uZ2GEV6sPSw91mcRw77P1547AgLqlNXq0wEHZOwDaNoOGLeQwZZ7geXoyGRUlNtwOsLYPlWugCUPeWhbP36spdnzC9ZqBxgAwSFM/Mgebru0Zng9AEY=
ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org;
	s=arc-20240116; t=1776394991; c=relaxed/simple;
	bh=Qf2pj9mdWhoOhQaMbpBXpuYL+EpLLGiJqu1COixk28I=;
	h=From:To:Cc:Subject:Date:Message-ID:In-Reply-To:References:
	 MIME-Version;
 b=O9Rd8/dO2KAOM1EkNQfIKNqKe0/v+aGKItU+ovB8ZAMgcGdXOacwL58R9K+jqlLe9k0X0HR/o1hax3r3LtF9gi4HEVki1Mm4MSdDenI3bizMdtrRK0lAy3MhOqA2y2o5tOPshukGAjOX3z5GKB66D8JOFLYtg3CUmKx77Q25hlA=
ARC-Authentication-Results: i=1; smtp.subspace.kernel.org;
 dmarc=pass (p=none dis=none) header.from=gmail.com;
 spf=pass smtp.mailfrom=gmail.com;
 dkim=pass (2048-bit key) header.d=gmail.com header.i=@gmail.com
 header.b=YLS8gYon; arc=none smtp.client-ip=209.85.221.177
Authentication-Results: smtp.subspace.kernel.org;
 dmarc=pass (p=none dis=none) header.from=gmail.com
Authentication-Results: smtp.subspace.kernel.org;
 spf=pass smtp.mailfrom=gmail.com
Authentication-Results: smtp.subspace.kernel.org;
	dkim=pass (2048-bit key) header.d=gmail.com header.i=@gmail.com
 header.b="YLS8gYon"
Received: by mail-vk1-f177.google.com with SMTP id
 71dfb90a1353d-56adf76631cso78646e0c.1
        for <linux-kernel@vger.kernel.org>;
 Thu, 16 Apr 2026 20:03:07 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=gmail.com; s=20251104; t=1776394987; x=1776999787;
 darn=vger.kernel.org;
        h=content-transfer-encoding:mime-version:references:in-reply-to
         :message-id:date:subject:cc:to:from:from:to:cc:subject:date
         :message-id:reply-to;
        bh=Rovnln3bQexjtYGlnIDtq4x3huEk7/gghBgaMQ2B6FQ=;
        b=YLS8gYonNFxa/gf2Z7h+fPWpE2PEuXBZAm6gfa6RnkjCYcXkmwQqQDLPkHRQF/qz2Y
         /bYaIFNCcKb2Rqzkkmf93APSiWxNiUmBY/BasnHK11eircb6Eh+tS9j+VWQ5+/7wZtlz
         Rp5A7TionvvBLMA7enQBERC9RpYMCTWlnl5LKRBnqwuzqXSwbLswxOrsthDrrV5VvMVZ
         H/ogmEW98AAEpedQ5W4bP289gL6hWwfsiumSoLEE0mxxpW0m7mQ+jRBZtFFzrSmh+NUC
         Z+h75cfNc0X3C263g3wSLa8Lbxzsvnsg/qswFJrSk7E3aJIyf6hw80cLMMZtkRKsq6ST
         QbLg==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=1e100.net; s=20251104; t=1776394987; x=1776999787;
        h=content-transfer-encoding:mime-version:references:in-reply-to
         :message-id:date:subject:cc:to:from:x-gm-gg:x-gm-message-state:from
         :to:cc:subject:date:message-id:reply-to;
        bh=Rovnln3bQexjtYGlnIDtq4x3huEk7/gghBgaMQ2B6FQ=;
        b=LVGbAslkQNThFzQwQ0fY5VhMvBFnzUd7nLKg38Muy5wVgHs2+a0zEcsOCf2RlVdqUb
         oIl8hHKcMNDkGuaIepOAqS3jvkLh3jRX/WGATrgv93JhuVLNbWRmGJcnuM8cJ/0gtUYA
         uERaWlWIB+QzQgS+ZoyOYE86gww30L96juZgyAqW9qgo4vG5/fVan7hh9DpgYhZJ+g/2
         QpOkLVeh/8h0hCWyeBn7EcP4yIfrWcaLoaxCrq8YnOxVkIXX+KF16npdKDHdiQ+sFTxc
         acNui3Yf++XXmUsWd/6Ap2RbCDzbPkFXjcGn627M8GKaTDWScG5FDtw5zuLkKETaD7Jd
         7vHw==
X-Forwarded-Encrypted: i=1;
 AFNElJ9tWnehbbP+jDjW9LxpQTWaburgmS03Eq9LKMMqHKzfhQcK7BhkHZObD6RqykjABa0brvx7MM2on17GvpQ=@vger.kernel.org
X-Gm-Message-State: AOJu0YzucfPONyQJNNAH/j4UXbkyva+wUj6RSqHY1Wu9u0Jv1EcZCzKG
	kzdAZoXKPAu6HooW2j0rkFxUEmbherbls/4VbKVcRm+vbq098bBsY/g4
X-Gm-Gg: AeBDievXw/dHUnzSGRQ2K6yZvZwGDLzWN4JMXT+lt56XCbxrkB43jRCOX6n+NKfjfaC
	d/7i8hghm61hFDwzvJmKaQrQ072mDBc4xSPSm7uT7qAxi464VfmU8IJIawN7hqTlv2971TUk5AO
	A/NPB8fJUg6yXp13DCUEpaQtipb6fu+m0+tJwSSpsUwBhn4WODuPPkr0mgxvU+6E/I2nqo3EH6p
	CtCg20zj2M999qtU+OrbTYA7OeELhyESYvOeDhBKkBTTjV3FWaSFcqkIUqSzFDLIuhNRunhS+Ky
	HGmrGtEHvw3Sugt4IdYqYpJblwzF7ug+ZSPqCsu3ec1pWt5YLfY58YHluTR0LElPycPL3GIsTes
	Actv/fcYsGIy8VkeIlP/W5BhUFvurCbDT5x9x7XP+JxBML257S36LDrOFrgcu2vnBTITCGQDQyj
	WfjrTBo5SgRdu984iQkyC0YzCdDVgdsKidCiHYmnnGfwmVfN/wR9Tb
X-Received: by 2002:a05:6123:10b:b0:56d:b4d1:3c3a with SMTP id
 71dfb90a1353d-56fa55c512amr711056e0c.0.1776394986916;
        Thu, 16 Apr 2026 20:03:06 -0700 (PDT)
Received: from localhost.localdomain ([102.244.98.124])
        by smtp.gmail.com with ESMTPSA id
 71dfb90a1353d-56fa93275f4sm131275e0c.13.2026.04.16.20.03.02
        (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256);
        Thu, 16 Apr 2026 20:03:06 -0700 (PDT)
From: Delene Tchio Romuald <delenetchior1@gmail.com>
To: gregkh@linuxfoundation.org
Cc: error27@gmail.com,
	luka.gejak@linux.dev,
	hansg@kernel.org,
	linux-staging@lists.linux.dev,
	linux-kernel@vger.kernel.org,
	stable@vger.kernel.org,
	Delene Tchio Romuald <delenetchior1@gmail.com>
Subject: [PATCH v5 5/5] staging: rtl8723bs: fix negative length in WEP
 decryption
Date: Fri, 17 Apr 2026 04:01:10 +0100
Message-ID: <20260417030110.42991-6-delenetchior1@gmail.com>
X-Mailer: git-send-email 2.43.0
In-Reply-To: <20260417030110.42991-1-delenetchior1@gmail.com>
References: <20260417030110.42991-1-delenetchior1@gmail.com>
Precedence: bulk
X-Mailing-List: linux-kernel@vger.kernel.org
List-Id: <linux-kernel.vger.kernel.org>
List-Subscribe: <mailto:linux-kernel+subscribe@vger.kernel.org>
List-Unsubscribe: <mailto:linux-kernel+unsubscribe@vger.kernel.org>
MIME-Version: 1.0
Content-Transfer-Encoding: quoted-printable
Content-Type: text/plain; charset="utf-8"

In rtw_wep_decrypt(), the payload length is computed as:

    length =3D frame->len - prxattrib->hdrlen - prxattrib->iv_len;

All operands are unsigned. If the frame is shorter than the sum of
the header length, IV length and the 4-byte ICV, this subtraction
wraps around or produces a value smaller than 4; the subsequent
crc32_le(~0, payload, length - 4) call then wraps length - 4 to a
huge value and reads past the end of the receive buffer.

An attacker within WiFi radio range can exploit this by sending a
crafted short WEP-encrypted frame. No authentication is required.

Validate that the frame is large enough to contain at least the
4-byte ICV on top of the header and IV before computing length.

Found by reviewing length arithmetic in the WEP decrypt path.
Not tested on hardware.

Fixes: 554c0a3abf216 ("staging: Add rtl8723bs sdio wifi driver")
Cc: stable@vger.kernel.org
Signed-off-by: Delene Tchio Romuald <delenetchior1@gmail.com>
---
v5: tighten the length check to also cover the 4-byte ICV so
    that the subsequent crc32_le(payload, length - 4) call
    cannot underflow length - 4.
v4: add Fixes: tag and Cc: stable (Dan Carpenter).
v3: rebased on staging-next; sent as numbered series with
    proper Cc from get_maintainer.pl.
v2: rebased on staging-next (v1 was based on v7.0-rc6 and did
    not apply).

 drivers/staging/rtl8723bs/core/rtw_security.c | 6 ++++++
 1 file changed, 6 insertions(+)

diff --git a/drivers/staging/rtl8723bs/core/rtw_security.c b/drivers/stagin=
g/rtl8723bs/core/rtw_security.c
index a00504ff29109..ddd6ed2245035 100644
--- a/drivers/staging/rtl8723bs/core/rtw_security.c
+++ b/drivers/staging/rtl8723bs/core/rtw_security.c
@@ -113,6 +113,12 @@ void rtw_wep_decrypt(struct adapter  *padapter, u8 *pr=
ecvframe)
 		memcpy(&wepkey[0], iv, 3);
 		/* memcpy(&wepkey[3], &psecuritypriv->dot11DefKey[psecuritypriv->dot11Pr=
ivacyKeyIndex].skey[0], keylength); */
 		memcpy(&wepkey[3], &psecuritypriv->dot11DefKey[keyindex].skey[0], keylen=
gth);
+
+		/* Ensure the frame is long enough for WEP payload and ICV */
+		if (((union recv_frame *)precvframe)->u.hdr.len <
+		    prxattrib->hdrlen + prxattrib->iv_len + 4)
+			return;
+
 		length =3D ((union recv_frame *)precvframe)->u.hdr.len - prxattrib->hdrl=
en - prxattrib->iv_len;
=20
 		payload =3D pframe + prxattrib->iv_len + prxattrib->hdrlen;
--=20
2.43.0