1. Patchew
  2. linux
  3. View series

[PATCH v6 0/5] staging: rtl8723bs: fix multiple security vulnerabilities

Delene Tchio Romuald posted 5 patches 1 month, 4 weeks ago 
.../staging/rtl8723bs/core/rtw_ieee80211.c    | 70 +++++++++++++------
drivers/staging/rtl8723bs/core/rtw_recv.c     | 51 +++++++++-----
drivers/staging/rtl8723bs/core/rtw_security.c |  6 ++
3 files changed, 87 insertions(+), 40 deletions(-)
[PATCH v6 0/5] staging: rtl8723bs: fix multiple security vulnerabilities
Posted by Delene Tchio Romuald 1 month, 4 weeks ago 
This series fixes five remotely-triggerable memory safety issues in
the rtl8723bs driver. All of them are reachable from the air by an
attacker within WiFi radio range, without authentication, via
crafted management or data frames:

  1. Heap buffer overflow in recvframe_defrag() when reassembling
     fragmented frames whose total payload exceeds the receive
     buffer capacity.
  2. Integer underflow in TKIP MIC verification when a frame is
     shorter than the sum of header, IV, ICV and MIC sizes.
  3. Out-of-bounds read in portctrl() when a non-EAPOL frame is
     shorter than the 802.11 header + IV + LLC + ether_type.
  4. Out-of-bounds reads in three IE walkers (rtw_get_wapi_ie(),
     rtw_get_sec_ie(), rtw_get_wps_ie()) due to missing validation
     of the TLV length byte and of the byte ranges touched by the
     subsequent memcmp() calls.
  5. Integer underflow in rtw_wep_decrypt() when a WEP frame is
     shorter than the header + IV + ICV.

Each patch was found by code review and is not tested on hardware.

Changes since v5:
 - Patch 1/5: restore the "/* memcpy */" comment that v5 had
   removed as drive-by cleanup (Dan Carpenter).
 - Patch 3/5: drop the unrelated cleanups (ptr = ptr + X -> ptr +=
   X, inversion of the ether_type == eapol_type branch into
   direct return NULL); the patch now only adds the short-frame
   length check before dereferencing the LLC header (Dan
   Carpenter).
 - Patches 2/5, 4/5 and 5/5 are unchanged.

Changes since v4:
 - Patch 1/5: collapse the identical cleanup sites in
   recvframe_defrag() into a single out_err label (Dan Carpenter).
 - Patch 4/5: in addition to the outer TLV length check, add an
   inner bound check before each memcmp() so that the OUI read at
   offset 6 (WAPI) or offset 2 (WPA/WPS) stays inside the declared
   element (Dan Carpenter).
 - Patch 5/5: tighten the length check to also cover the 4-byte
   ICV, so that the subsequent crc32_le(payload, length - 4) call
   cannot underflow length - 4.

Changes since v3:
 - All patches: add Fixes: tag pointing at the driver import and
   add Cc: stable per Dan Carpenter.

Changes since v2:
 - Sent as numbered series with cover letter.

Changes since v1:
 - Rebased on staging-next.

Delene Tchio Romuald (5):
  staging: rtl8723bs: fix heap buffer overflow in recvframe_defrag()
  staging: rtl8723bs: fix integer underflow in TKIP MIC verification
  staging: rtl8723bs: fix out-of-bounds read in portctrl()
  staging: rtl8723bs: fix out-of-bounds reads in IE parsing functions
  staging: rtl8723bs: fix negative length in WEP decryption

 .../staging/rtl8723bs/core/rtw_ieee80211.c    | 70 +++++++++++++------
 drivers/staging/rtl8723bs/core/rtw_recv.c     | 51 +++++++++-----
 drivers/staging/rtl8723bs/core/rtw_security.c |  6 ++
 3 files changed, 87 insertions(+), 40 deletions(-)


base-commit: bf9c95f3eeefb7fc4b4a6380cc23f1dca744e379
--
2.43.0
Re: [PATCH v6 0/5] staging: rtl8723bs: fix multiple security vulnerabilities
Posted by Greg KH 1 month, 1 week ago 
On Fri, Apr 17, 2026 at 07:10:43AM +0100, Delene Tchio Romuald wrote:
> This series fixes five remotely-triggerable memory safety issues in
> the rtl8723bs driver. All of them are reachable from the air by an
> attacker within WiFi radio range, without authentication, via
> crafted management or data frames:
> 
>   1. Heap buffer overflow in recvframe_defrag() when reassembling
>      fragmented frames whose total payload exceeds the receive
>      buffer capacity.
>   2. Integer underflow in TKIP MIC verification when a frame is
>      shorter than the sum of header, IV, ICV and MIC sizes.
>   3. Out-of-bounds read in portctrl() when a non-EAPOL frame is
>      shorter than the 802.11 header + IV + LLC + ether_type.
>   4. Out-of-bounds reads in three IE walkers (rtw_get_wapi_ie(),
>      rtw_get_sec_ie(), rtw_get_wps_ie()) due to missing validation
>      of the TLV length byte and of the byte ranges touched by the
>      subsequent memcmp() calls.
>   5. Integer underflow in rtw_wep_decrypt() when a WEP frame is
>      shorter than the header + IV + ICV.
> 
> Each patch was found by code review and is not tested on hardware.

Please address the comments found here:
	https://sashiko.dev/#/patchset/20260417061048.62484-1-delenetchior1@gmail.com

and ideally, test it on some real hardware to verify it all still works?

thanks,

greg k-h
Re: [PATCH v6 0/5] staging: rtl8723bs: fix multiple security vulnerabilities
Posted by Luka Gejak 1 month, 4 weeks ago 
On April 17, 2026 8:10:43 AM GMT+02:00, Delene Tchio Romuald <delenetchior1@gmail.com> wrote:
>This series fixes five remotely-triggerable memory safety issues in
>the rtl8723bs driver. All of them are reachable from the air by an
>attacker within WiFi radio range, without authentication, via
>crafted management or data frames:
>

LGTM.
Reviewed-by: Luka Gejak <luka.gejak@linux.dev>
Re: [PATCH v6 0/5] staging: rtl8723bs: fix multiple security vulnerabilities
Posted by Dan Carpenter 1 month, 4 weeks ago 
Thanks!

Reviewed-by: Dan Carpenter <error27@gmail.com>

regards,
dan carpenter

Patchew 2.1-devel-ea86937

© 2016 - 2026 Red Hat, Inc.