From nobody Tue Jun 16 03:46:19 2026
Received: from mail-ua1-f50.google.com (mail-ua1-f50.google.com
 [209.85.222.50])
	(using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits))
	(No client certificate requested)
	by smtp.subspace.kernel.org (Postfix) with ESMTPS id 5BE3734DCC7
	for <linux-kernel@vger.kernel.org>; Fri, 17 Apr 2026 06:12:14 +0000 (UTC)
Authentication-Results: smtp.subspace.kernel.org;
 arc=none smtp.client-ip=209.85.222.50
ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116;
	t=1776406335; cv=none;
 b=lbEMhwOAXb32ho8lh5gka1piVHdxw2t3+q67jEYm1gBfM+6osuUNf0O8kDj2bo3oLVh+jpkNzUWJzVQ/+PbpFLznlfd/DQCJpMn+Z1MvCaZ279VzPcPASRJM2CsyzXrlGD5p2Rno/iM3HTdz6oQjRFfjLGtYMAfPoJ2jeb+A/E4=
ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org;
	s=arc-20240116; t=1776406335; c=relaxed/simple;
	bh=hAE7G4N9Ya6db2lFHzOOzat8Ysmrwdz8cUZo69vB634=;
	h=From:To:Cc:Subject:Date:Message-ID:In-Reply-To:References:
	 MIME-Version;
 b=NhnUMMqcLYx8Je73xdHMN8wSkjJx3zlNFG4m0WNn9yEXfH/HS/es9vmiaawH2Gl5tBRUynMgrM8WkYpn6InIdb9EgtpYp8H0XE3UleBCJ2LQoGse7uYTYnP8vG6EHVYok+20ud/OJSqrJLYIJnXODYleXYSMZYV9FTQyl5lW0mo=
ARC-Authentication-Results: i=1; smtp.subspace.kernel.org;
 dmarc=pass (p=none dis=none) header.from=gmail.com;
 spf=pass smtp.mailfrom=gmail.com;
 dkim=pass (2048-bit key) header.d=gmail.com header.i=@gmail.com
 header.b=kZTNTFWV; arc=none smtp.client-ip=209.85.222.50
Authentication-Results: smtp.subspace.kernel.org;
 dmarc=pass (p=none dis=none) header.from=gmail.com
Authentication-Results: smtp.subspace.kernel.org;
 spf=pass smtp.mailfrom=gmail.com
Authentication-Results: smtp.subspace.kernel.org;
	dkim=pass (2048-bit key) header.d=gmail.com header.i=@gmail.com
 header.b="kZTNTFWV"
Received: by mail-ua1-f50.google.com with SMTP id
 a1e0cc1a2514c-9568159ee07so203968241.1
        for <linux-kernel@vger.kernel.org>;
 Thu, 16 Apr 2026 23:12:14 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=gmail.com; s=20251104; t=1776406333; x=1777011133;
 darn=vger.kernel.org;
        h=content-transfer-encoding:mime-version:references:in-reply-to
         :message-id:date:subject:cc:to:from:from:to:cc:subject:date
         :message-id:reply-to;
        bh=es+n8UsduHXyp24gV37gSZyOHkapEOeq0C7l32e5LWs=;
        b=kZTNTFWVztvzet7cddAq6qOiKKMUuTdsqhxHZuRT1iB0a6t4ZSUDN+s+5A8rXJB9oM
         efMYmj8kEGAEH1wMlXmSK2KYiCtkIxdfKiGKljCeYd50b8Y3NJl/ltlrTD2mlW956IB4
         1qDGbM4S1JmLP29dz6dDmRDKTPrUHsGbRACFeKtsNMDP/gwsN2Cvvvev4n0V5tjjAnHd
         DbpZA1MVLIvxb7ZYX1yp61CH9EyDolUZRHkQGbLGG/oQ7ET0ysYMIHA1lkZsGUwJra0p
         y0bViC1jS1NBk0+rR59bef7I654tknYS51i0xji5C2hEwOto9qGRLop7hm3rv7Sk0qx+
         PzKw==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=1e100.net; s=20251104; t=1776406333; x=1777011133;
        h=content-transfer-encoding:mime-version:references:in-reply-to
         :message-id:date:subject:cc:to:from:x-gm-gg:x-gm-message-state:from
         :to:cc:subject:date:message-id:reply-to;
        bh=es+n8UsduHXyp24gV37gSZyOHkapEOeq0C7l32e5LWs=;
        b=Yz6hEBpfzrLbm7OBG9TgXm1DV4Z9hKj0oVjB5dXHwQaBJnv/fpK6DP2VOjakOiKY9c
         TlfYQQAT1XA3V5N3yveoWW7bGyBnVnONCCaOROfycz9Doh0yWfYezpW1uqYkhy+fXztw
         bYjjB7ocVGZxjawZAqAXBn3O1jIeTWrnt3orbGXuJFvSIKabOHIGpBK5qLItjov+eEfJ
         Gumbt84wKH5lgCQF0yH9NcqvcQ7Yc71MxvbkIV32hzPY/e+tf8UNX/TibLE/EM+9gwhx
         sq5U/OpsEXd5FyLYb9jts+iQltMwiDX5UbqHLin6sNOuUyOKHXXOMJD3a8Z4FFTzsFkL
         5K7A==
X-Forwarded-Encrypted: i=1;
 AFNElJ8u7tpxVwLwiC15uIcOvtXUwrj49VyR1JhZ9MClmuvIego2KzNzjmgSX5l9PvG1mQAOrNRCxpLDU0oN7+s=@vger.kernel.org
X-Gm-Message-State: AOJu0Ywf5zHq57Zw7EAtWr1W+HnyCDmMp8tOkk0Rr1B30Js8sRsaAk1M
	AgNJVHjmP2ky3m2p/L9MHZGRpL1KUy9B+ngijCuQEJ94zR08ReCvp3QF
X-Gm-Gg: AeBDiev/zm8DAFMZYJGzZ+1WouvaN8Wmx7Sn0gBF6aNA0ZyrhV7tOK3Zl8/0u2jwdZa
	pz0Xoh6w2gZ4QUWWgHRN6Dvjig7bD/RJxWb9EekZuJEs/vP15GZPJX0Gux4y+bNyAfTMiFT5vLl
	E/gauNk0fYouGzjf37alolWIn7F8QLdm+TI45lPdJ8HCIBRMydSV2R/ROi0hkyfDEsmuSh2mOE2
	Q6pXPdkUNHAPuxWcOvtdM1Q1UfMZR3A7SkGtO0j9TmGCGoXnuLWjEeVMqMMTbnq2gp/l2qKyZmG
	1FgHih7fKZibQUzaj1JJwJPFRKM3HVsKdqoaRZJp/ysv/iEzJmFWvUCTaNQy8um+PJO/r4tEA/0
	WPR9NBxm1LDk+ekQ95hkvw8nNwkhPXk1A7q9EQHHrq3Z1BEitqZLiBXBnk305hIA5aOgSayMwgf
	94vbPNJPa0QOAmr5SAsgzKkTw3G8MnExXEqmPuyiKzTKmoFk70YVzk
X-Received: by 2002:a05:6102:6cd:b0:607:5cd7:cbbe with SMTP id
 ada2fe7eead31-616f58a6866mr649466137.13.1776406333287;
        Thu, 16 Apr 2026 23:12:13 -0700 (PDT)
Received: from localhost.localdomain ([102.244.98.124])
        by smtp.gmail.com with ESMTPSA id
 a1e0cc1a2514c-9589093a8bbsm297947241.3.2026.04.16.23.12.07
        (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256);
        Thu, 16 Apr 2026 23:12:12 -0700 (PDT)
From: Delene Tchio Romuald <delenetchior1@gmail.com>
To: gregkh@linuxfoundation.org
Cc: error27@gmail.com,
	luka.gejak@linux.dev,
	hansg@kernel.org,
	linux-staging@lists.linux.dev,
	linux-kernel@vger.kernel.org,
	stable@vger.kernel.org,
	Delene Tchio Romuald <delenetchior1@gmail.com>
Subject: [PATCH v6 1/5] staging: rtl8723bs: fix heap buffer overflow in
 recvframe_defrag()
Date: Fri, 17 Apr 2026 07:10:44 +0100
Message-ID: <20260417061048.62484-2-delenetchior1@gmail.com>
X-Mailer: git-send-email 2.43.0
In-Reply-To: <20260417061048.62484-1-delenetchior1@gmail.com>
References: <20260417061048.62484-1-delenetchior1@gmail.com>
Precedence: bulk
X-Mailing-List: linux-kernel@vger.kernel.org
List-Id: <linux-kernel.vger.kernel.org>
List-Subscribe: <mailto:linux-kernel+subscribe@vger.kernel.org>
List-Unsubscribe: <mailto:linux-kernel+unsubscribe@vger.kernel.org>
MIME-Version: 1.0
Content-Transfer-Encoding: quoted-printable
Content-Type: text/plain; charset="utf-8"

In recvframe_defrag(), a memcpy() copies fragment data into the
reassembly buffer before validating that the buffer has sufficient
space. If the total reassembled payload exceeds the receive buffer
capacity, this results in a heap buffer overflow.

Additionally, the return values of recvframe_pull() and
recvframe_pull_tail() were ignored. On failure those helpers revert
their pointer updates and return NULL; continuing past such a
failure would leave pfhdr->rx_tail at its pre-strip value, so the
subsequent bounds check against rx_end - rx_tail would operate on
stale pointers.

An attacker within WiFi radio range can exploit this by sending
crafted 802.11 fragmented frames. No authentication is required.

Check the return values of recvframe_pull() and recvframe_pull_tail(),
then verify that the fragment payload fits within the remaining
buffer space before the memcpy(). Consolidate the five cleanup
paths through a single out_err label.

Found by reviewing memory operations in the driver and tracing
buffer pointer manipulation through rtw_recv.h inline helpers.
Not tested on hardware.

Fixes: 554c0a3abf216 ("staging: Add rtl8723bs sdio wifi driver")
Cc: stable@vger.kernel.org
Signed-off-by: Delene Tchio Romuald <delenetchior1@gmail.com>
Reviewed-by: Dan Carpenter <error27@gmail.com>
Reviewed-by: Luka Gejak <luka.gejak@linux.dev>
---
v6: restore the '/* memcpy */' comment that v5 had removed
    as drive-by cleanup (Dan Carpenter).
v5: collapse the identical cleanup sites into a single
    out_err label (Dan Carpenter).
v4: check return values of recvframe_pull() and
    recvframe_pull_tail(); drop unnecessary (uint) cast;
    add Fixes: tag and Cc: stable (Dan Carpenter).
v3: rebased on staging-next; sent as numbered series with
    proper Cc from get_maintainer.pl.
v2: rebased on staging-next (v1 was based on v7.0-rc6 and
    did not apply).

 drivers/staging/rtl8723bs/core/rtw_recv.c | 36 ++++++++++++-----------
 1 file changed, 19 insertions(+), 17 deletions(-)

diff --git a/drivers/staging/rtl8723bs/core/rtw_recv.c b/drivers/staging/rt=
l8723bs/core/rtw_recv.c
index f78194d508dfc..8d5d9a6dc4db0 100644
--- a/drivers/staging/rtl8723bs/core/rtw_recv.c
+++ b/drivers/staging/rtl8723bs/core/rtw_recv.c
@@ -1090,14 +1090,9 @@ static union recv_frame *recvframe_defrag(struct ada=
pter *adapter,
 	pfhdr =3D &prframe->u.hdr;
 	list_del_init(&(prframe->u.list));
=20
-	if (curfragnum !=3D pfhdr->attrib.frag_num) {
-		/* the first fragment number must be 0 */
-		/* free the whole queue */
-		rtw_free_recvframe(prframe, pfree_recv_queue);
-		rtw_free_recvframe_queue(defrag_q, pfree_recv_queue);
-
-		return NULL;
-	}
+	/* the first fragment number must be 0 */
+	if (curfragnum !=3D pfhdr->attrib.frag_num)
+		goto out_err;
=20
 	curfragnum++;
=20
@@ -1112,13 +1107,9 @@ static union recv_frame *recvframe_defrag(struct ada=
pter *adapter,
=20
 		/* check the fragment sequence  (2nd ~n fragment frame) */
=20
-		if (curfragnum !=3D pnfhdr->attrib.frag_num) {
-			/* the fragment number must be increasing  (after decache) */
-			/* release the defrag_q & prframe */
-			rtw_free_recvframe(prframe, pfree_recv_queue);
-			rtw_free_recvframe_queue(defrag_q, pfree_recv_queue);
-			return NULL;
-		}
+		/* the fragment number must be increasing  (after decache) */
+		if (curfragnum !=3D pnfhdr->attrib.frag_num)
+			goto out_err;
=20
 		curfragnum++;
=20
@@ -1127,10 +1118,16 @@ static union recv_frame *recvframe_defrag(struct ad=
apter *adapter,
=20
 		wlanhdr_offset =3D pnfhdr->attrib.hdrlen + pnfhdr->attrib.iv_len;
=20
-		recvframe_pull(pnextrframe, wlanhdr_offset);
+		if (!recvframe_pull(pnextrframe, wlanhdr_offset))
+			goto out_err;
=20
 		/* append  to first fragment frame's tail (if privacy frame, pull the IC=
V) */
-		recvframe_pull_tail(prframe, pfhdr->attrib.icv_len);
+		if (!recvframe_pull_tail(prframe, pfhdr->attrib.icv_len))
+			goto out_err;
+
+		/* Verify the receiving buffer has enough space for the fragment */
+		if (pnfhdr->len > pfhdr->rx_end - pfhdr->rx_tail)
+			goto out_err;
=20
 		/* memcpy */
 		memcpy(pfhdr->rx_tail, pnfhdr->rx_data, pnfhdr->len);
@@ -1146,6 +1143,11 @@ static union recv_frame *recvframe_defrag(struct ada=
pter *adapter,
 	rtw_free_recvframe_queue(defrag_q, pfree_recv_queue);
=20
 	return prframe;
+
+out_err:
+	rtw_free_recvframe(prframe, pfree_recv_queue);
+	rtw_free_recvframe_queue(defrag_q, pfree_recv_queue);
+	return NULL;
 }
=20
 /* check if need to defrag, if needed queue the frame to defrag_q */
--=20
2.43.0
From nobody Tue Jun 16 03:46:19 2026
Received: from mail-vs1-f47.google.com (mail-vs1-f47.google.com
 [209.85.217.47])
	(using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits))
	(No client certificate requested)
	by smtp.subspace.kernel.org (Postfix) with ESMTPS id 9F38837104F
	for <linux-kernel@vger.kernel.org>; Fri, 17 Apr 2026 06:12:18 +0000 (UTC)
Authentication-Results: smtp.subspace.kernel.org;
 arc=none smtp.client-ip=209.85.217.47
ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116;
	t=1776406339; cv=none;
 b=Shv9qGyzHqC8YI5pViqqR/mrRfFwR6RsU8LEPZb69Likw++3ZmDFqyJZYrgWcPIov3Hm/VLWtVcgHGv1FnFdJuDHweSZzC6jnyL2Jkm0ZdgdhBlv2y7aC0koFnmPtOq7dzMACFrYXGxlcBuQv1buDQ6totn6r7Z0/IKP1eN7j08=
ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org;
	s=arc-20240116; t=1776406339; c=relaxed/simple;
	bh=LQIdA2y7R70azffM7vEEmPT21jtKvg4tGGwa02Wpxc4=;
	h=From:To:Cc:Subject:Date:Message-ID:In-Reply-To:References:
	 MIME-Version;
 b=t8fpFhwwqZSyUP5C+c11qTdximlY4VTpz8RhzhVDSmYJzCPTkZWwYKphZgFBXXChTWzeOkk2B30QEvXW1ut0480br4ZiiN0tDrLw3L1UatrDDLnSk1MnGhiSxXU7chNAXH5yDxICAr/xjiRdr4AblQz86EzD54ZIyQnUVxB4gB0=
ARC-Authentication-Results: i=1; smtp.subspace.kernel.org;
 dmarc=pass (p=none dis=none) header.from=gmail.com;
 spf=pass smtp.mailfrom=gmail.com;
 dkim=pass (2048-bit key) header.d=gmail.com header.i=@gmail.com
 header.b=Mydm7QCZ; arc=none smtp.client-ip=209.85.217.47
Authentication-Results: smtp.subspace.kernel.org;
 dmarc=pass (p=none dis=none) header.from=gmail.com
Authentication-Results: smtp.subspace.kernel.org;
 spf=pass smtp.mailfrom=gmail.com
Authentication-Results: smtp.subspace.kernel.org;
	dkim=pass (2048-bit key) header.d=gmail.com header.i=@gmail.com
 header.b="Mydm7QCZ"
Received: by mail-vs1-f47.google.com with SMTP id
 ada2fe7eead31-605def5b80cso87179137.2
        for <linux-kernel@vger.kernel.org>;
 Thu, 16 Apr 2026 23:12:18 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=gmail.com; s=20251104; t=1776406338; x=1777011138;
 darn=vger.kernel.org;
        h=content-transfer-encoding:mime-version:references:in-reply-to
         :message-id:date:subject:cc:to:from:from:to:cc:subject:date
         :message-id:reply-to;
        bh=HHAr/pp9xx4L0THvS20kiAAKgkB/RVI3w/K0Awkrlc4=;
        b=Mydm7QCZd/5V+9VS4qRPOZ12DO69LkUcCdiUr9HPfpfvvZlCunyAiNxL9EZwEP4tkQ
         cFiUWaxQ18vAk2/Ch8+fopoK7KL8gQgJZd1CLaAKhkYDRqH4onEMRLuZgOmQR6FRR1Jq
         qgde+UBMO3/TCeN65KqPl5gN3lBvchrDXm6eoTjT6D1OvAaV3FJ1vbs2pTS+hn/B7LgE
         LpUONEg6OgMG3wZoLn3V+hsrDyXg5J5Om9Dq+Lusx26h3BIK+B8mMPI7vpO+q6oDZ7ce
         M2rUugb7bPHg+BXzM/kIsVAljRnO3BcYQmOmgSW3YJG5GyNt5zuz9w8yRP+f3BRU94bG
         h14Q==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=1e100.net; s=20251104; t=1776406338; x=1777011138;
        h=content-transfer-encoding:mime-version:references:in-reply-to
         :message-id:date:subject:cc:to:from:x-gm-gg:x-gm-message-state:from
         :to:cc:subject:date:message-id:reply-to;
        bh=HHAr/pp9xx4L0THvS20kiAAKgkB/RVI3w/K0Awkrlc4=;
        b=lcp6xxIKNqQuv4JfQHxM6iJrIjdF2W0qKTgIqqH92i3HtLl4pC0Qax3h6NUYswPitw
         /Z/xhnU/ac4Aw0sHQ3/9LIq9nJbiwjrMBh3ThaGNv+qvK+/ltbEi6Zyt8S1sXBm7CfIW
         8t4otmyVjkMnJDMfcaKhYNVLrzAHNRntHWI/9SsfCEacGVQi04blaYaqormuKk6/jtS6
         WzjMpxWTzGMfB/4fUtOfsS70xJMASqIBTO4b2rAKrT5Cn1cJviiPYSDiCIoy5Wzytx8w
         dt3dFG5s5twTMiAKPpi9N3CV+5bnKoQuyMndjsemnq8hmgZpOGLCwLX1v3WA7ERqBQSQ
         XkVw==
X-Forwarded-Encrypted: i=1;
 AFNElJ8V2tGUeEH6ownebj/gudpF15sC5itNbUz+ICSCTG2KB3FAq1CVlIPaZgeggxpeMEbo4tPKVVQXWLROwMg=@vger.kernel.org
X-Gm-Message-State: AOJu0YwgV03G0KPpaMgWecBlYboD1oDlMrAL2WcO8Z9nT8hFtLfqnLzn
	OVGjvvBBKoRAOAUagXi+iif3666vO7ASNggoXQiS2XzqSlrOcvAPsb3c
X-Gm-Gg: AeBDievCtu35b63eBj09Au9YrTxL/I2jwoogb8LWNHDsp6uytcNgNiKgHgy7tYojOKz
	S0t9HS08XkZgYNUU4opP4cds9zFpUmTjCBHoh4KJAZdKjzRxMAyy3bANlaCU8Y6Aq5Pp/Y+bNCf
	FYHGilL4iVa+20rbPlwjmWcED82eKXOEPGhpinG1pJAciswFD6QqGrYWkxu4ts0VRMaA6Fd7lrj
	lHa//xI0n9POdXQJh80Rt8B/Vm7CYiZTjY0DE3eMK2Ruza+tiGk8OBTpF/EEygSmgEymi2LwVz6
	At+O5JE6m7KVaS28R/bnLy8B/uirVXNhiq9vOfXUtyPxlIMc5mbZ+roRevNc+Ec2aHFv2a/ZFht
	LkysefvNNHGG6uyZU3/Fz4X92euHXzq5SVf5qwGnIZfrUoK4XooRUBy1ByvUj0wveEMm4urtP3l
	lQURGdB4guafDGpEULEnT0hJI0hv+Yyn5mK0/FrTEvL8si9+o69ApJ
X-Received: by 2002:a05:6102:5493:b0:60f:ac13:c99 with SMTP id
 ada2fe7eead31-616f88b47e4mr465946137.29.1776406337613;
        Thu, 16 Apr 2026 23:12:17 -0700 (PDT)
Received: from localhost.localdomain ([102.244.98.124])
        by smtp.gmail.com with ESMTPSA id
 a1e0cc1a2514c-9589093a8bbsm297947241.3.2026.04.16.23.12.13
        (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256);
        Thu, 16 Apr 2026 23:12:16 -0700 (PDT)
From: Delene Tchio Romuald <delenetchior1@gmail.com>
To: gregkh@linuxfoundation.org
Cc: error27@gmail.com,
	luka.gejak@linux.dev,
	hansg@kernel.org,
	linux-staging@lists.linux.dev,
	linux-kernel@vger.kernel.org,
	stable@vger.kernel.org,
	Delene Tchio Romuald <delenetchior1@gmail.com>
Subject: [PATCH v6 2/5] staging: rtl8723bs: fix integer underflow in TKIP MIC
 verification
Date: Fri, 17 Apr 2026 07:10:45 +0100
Message-ID: <20260417061048.62484-3-delenetchior1@gmail.com>
X-Mailer: git-send-email 2.43.0
In-Reply-To: <20260417061048.62484-1-delenetchior1@gmail.com>
References: <20260417061048.62484-1-delenetchior1@gmail.com>
Precedence: bulk
X-Mailing-List: linux-kernel@vger.kernel.org
List-Id: <linux-kernel.vger.kernel.org>
List-Subscribe: <mailto:linux-kernel+subscribe@vger.kernel.org>
List-Unsubscribe: <mailto:linux-kernel+unsubscribe@vger.kernel.org>
MIME-Version: 1.0
Content-Transfer-Encoding: quoted-printable
Content-Type: text/plain; charset="utf-8"

In recvframe_chkmic(), the payload length is computed as:

    datalen =3D precvframe->u.hdr.len - prxattrib->hdrlen
              - prxattrib->iv_len - prxattrib->icv_len - 8;

All operands are unsigned. If the receive frame is shorter than the
sum of the header, IV, ICV and MIC sizes, this subtraction wraps
around and datalen becomes a huge unsigned value. That value is then
passed to rtw_secmicappend(), which reads past the end of the
receive buffer and can leak kernel memory or trigger a crash.

An attacker within WiFi radio range can exploit this by sending a
crafted short TKIP-encrypted frame. No authentication is required.

Validate that the frame is large enough for the TKIP MIC
computation before the subtraction.

Found by reviewing length arithmetic in the TKIP receive path.
Not tested on hardware.

Fixes: 554c0a3abf216 ("staging: Add rtl8723bs sdio wifi driver")
Cc: stable@vger.kernel.org
Reviewed-by: Luka Gejak <luka.gejak@linux.dev>
Signed-off-by: Delene Tchio Romuald <delenetchior1@gmail.com>
Reviewed-by: Dan Carpenter <error27@gmail.com>
---
v6: unchanged.
v5: unchanged.
v4: add Fixes: tag and Cc: stable (Dan Carpenter); carry
    Luka Gejak's Reviewed-by.
v3: rebased on staging-next; sent as numbered series with
    proper Cc from get_maintainer.pl.
v2: rebased on staging-next (v1 was based on v7.0-rc6 and
    did not apply).

 drivers/staging/rtl8723bs/core/rtw_recv.c | 7 +++++++
 1 file changed, 7 insertions(+)

diff --git a/drivers/staging/rtl8723bs/core/rtw_recv.c b/drivers/staging/rt=
l8723bs/core/rtw_recv.c
index 8d5d9a6dc4db0..e30617875a69d 100644
--- a/drivers/staging/rtl8723bs/core/rtw_recv.c
+++ b/drivers/staging/rtl8723bs/core/rtw_recv.c
@@ -390,6 +390,13 @@ static signed int recvframe_chkmic(struct adapter *ada=
pter,  union recv_frame *p
 				mickey =3D &stainfo->dot11tkiprxmickey.skey[0];
 			}
=20
+			/* Ensure the frame is large enough for TKIP MIC verification */
+			if (precvframe->u.hdr.len <=3D prxattrib->hdrlen +
+			    prxattrib->iv_len + prxattrib->icv_len + 8) {
+				res =3D _FAIL;
+				goto exit;
+			}
+
 			datalen =3D precvframe->u.hdr.len - prxattrib->hdrlen - prxattrib->iv_l=
en - prxattrib->icv_len - 8;/* icv_len included the mic code */
 			pframe =3D precvframe->u.hdr.rx_data;
 			payload =3D pframe + prxattrib->hdrlen + prxattrib->iv_len;
--=20
2.43.0
From nobody Tue Jun 16 03:46:19 2026
Received: from mail-vk1-f170.google.com (mail-vk1-f170.google.com
 [209.85.221.170])
	(using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits))
	(No client certificate requested)
	by smtp.subspace.kernel.org (Postfix) with ESMTPS id 5433236E48D
	for <linux-kernel@vger.kernel.org>; Fri, 17 Apr 2026 06:12:25 +0000 (UTC)
Authentication-Results: smtp.subspace.kernel.org;
 arc=none smtp.client-ip=209.85.221.170
ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116;
	t=1776406346; cv=none;
 b=YX6UQ5WkWQJ6eP2FefM5Ptx9DCfi1H9cIl8FRKaTG1KmyIx9DN4z98n+k1VwicuYEG9gWIMn/o0TxFNwFV4rwLpysEKVpMybYIiaxsj0qnZQMr4gODO1CfT8PuvjkJbWP4VbQlpUgp/STyKb8eKzveaa/3gC6kMjK6qjz+TiNCw=
ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org;
	s=arc-20240116; t=1776406346; c=relaxed/simple;
	bh=2IOSrS/BCoF+OLbUXBknmlZ3v2w7geVGIulEGVdpUXI=;
	h=From:To:Cc:Subject:Date:Message-ID:In-Reply-To:References:
	 MIME-Version;
 b=p7gOXXmATX3Y0PpD2Vc2rGx7y7tHrS7DFj9TKG8cFOLZ0na2/LRdXJ4yHLmkuN6vVlgWSRxu+o44C1eM6b6uwcn+97jjTMm1FLOobD8WNn2OikGvKnc9rn8OzOVSSmo0DjYAeAyfETg4Gywxp96SFizG+1vEet01tcHGejghOmI=
ARC-Authentication-Results: i=1; smtp.subspace.kernel.org;
 dmarc=pass (p=none dis=none) header.from=gmail.com;
 spf=pass smtp.mailfrom=gmail.com;
 dkim=pass (2048-bit key) header.d=gmail.com header.i=@gmail.com
 header.b=LozCgFjd; arc=none smtp.client-ip=209.85.221.170
Authentication-Results: smtp.subspace.kernel.org;
 dmarc=pass (p=none dis=none) header.from=gmail.com
Authentication-Results: smtp.subspace.kernel.org;
 spf=pass smtp.mailfrom=gmail.com
Authentication-Results: smtp.subspace.kernel.org;
	dkim=pass (2048-bit key) header.d=gmail.com header.i=@gmail.com
 header.b="LozCgFjd"
Received: by mail-vk1-f170.google.com with SMTP id
 71dfb90a1353d-56f8c77ca6aso271847e0c.2
        for <linux-kernel@vger.kernel.org>;
 Thu, 16 Apr 2026 23:12:25 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=gmail.com; s=20251104; t=1776406344; x=1777011144;
 darn=vger.kernel.org;
        h=content-transfer-encoding:mime-version:references:in-reply-to
         :message-id:date:subject:cc:to:from:from:to:cc:subject:date
         :message-id:reply-to;
        bh=6WeGK87I6I6uRVhZdQgQ7htgqEpuNuywO5trnD/VR80=;
        b=LozCgFjdJG6nOtYMPHyGdKrrNHUSpnNRVlL4WX1VHq9YkuGFVQx2BU4oCmaihZoPpm
         gGJX4F4+V63CPYESviJ97H8HcIyZ6tmTQ4iEOE0rXTt0ioA1zCxEoNiXNoUvPeH/Os1l
         cK/oPdZRhaRCzD1y67+tTwJOeNw9SypoEyDh+3VDGZe0QqxOu6SDSDlxEbc/WrFO2GE2
         tHRwR7U/JIwWG4JlJ1ZA9cQJVhngeU4tn0rHMII3kamxCX+sTYdSEgH466WSWN1FEUyV
         zRmgqERDE2PyRe2X6+eDC29eyMTt7uzOgzfQY9UkvLg4nQh9hl7YEyZ9bqsZCBmd1Y5A
         CqiQ==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=1e100.net; s=20251104; t=1776406344; x=1777011144;
        h=content-transfer-encoding:mime-version:references:in-reply-to
         :message-id:date:subject:cc:to:from:x-gm-gg:x-gm-message-state:from
         :to:cc:subject:date:message-id:reply-to;
        bh=6WeGK87I6I6uRVhZdQgQ7htgqEpuNuywO5trnD/VR80=;
        b=LE5hFE8eXuTir5HuiEI74p96O+7QTTRkFHs+iTyEmdGf/oyz+4lOiPl4Vz4+4Tp0wJ
         y/NvkL+b/4tlgOoVxLOYBwz/CHeIhUM/3OODnixFJFe733bCGPXrUhpGFjBDaG+gUgrL
         BUOZ/HGTeqcBmz0MUmy8KFbaeg9JNUanacGsEMRDcE7PKR+akf6v4HOIp8am9hccHLGO
         ZvRvuGXZnShkYXg/VyZjNqs5rlWWN+5md8zlnRmWwX88LEpPsyUniUodpRSduFVfLvvl
         bl/LJiWTWgjUS9gJUc6GHebUBr584x+HwJmL92TP8txqeMv55d+q664zeVsG0Mftg7mg
         aYNQ==
X-Forwarded-Encrypted: i=1;
 AFNElJ+nZlWDvAikUnmjVrM3aIBz1CAQv2ui0PvQwH4DWoA2QHSq4tm9xuLmA0B9C2vOLNM6Zg3B4jxSQ1NkGMo=@vger.kernel.org
X-Gm-Message-State: AOJu0Yy7GvIp/hOT3xrlwwSer+XVXggBVXr/pw4Cq/NRV3kUoMKS5iXU
	5q7QGjuBn7nZ2F/DR995PI8NV6EUl2/LC7b8wwIZ0pVDbZYcuUFJ9mzy
X-Gm-Gg: AeBDieuMLpNviN9FZIgleL9XxElQGZmBRASmtLCOuZamIoSvHLhLMsEHwgucHG+cw06
	Nl/1rD/ak3t5Ly5uL7Ad942tIJABzknFdPYgLQFrlaziyqoDsJUuBmqV7Xc9IJKMZmkpxCM29EP
	qmBTS8hOW/uciXiSare8pFPeAc2OzcpBRlmho/SxCkiNaXXTDtmy+pKFgJRGQl6GTVjYXh/vj9p
	+qEBnKI4lgiOAbxMq75lP64hRAO83P7Nv1DHKEKlxg+C91qE82v01J+r29JDK1MCJUeFXjLLMg0
	n+FAK37ihPleN4eQaCjrpuyofSN4qhkM8HfcbIOG6VgJNaqzfuNQWcqX5BW8L5Xr2tYkivRA7ZV
	RlZ4Stpqy8S1927Yz4sedMumxIKNP0huIy8fYSSogzAI0mV6zhFhOrM3FXaIm+PCub4vTZsatMU
	emv5l5aCoI04/LUesSl3Q2gXSo5l/Ub3S4WIyImRouXwT27FfdIBVo
X-Received: by 2002:a05:6122:1795:b0:56e:e80c:bb25 with SMTP id
 71dfb90a1353d-56fa5a9dd17mr699227e0c.13.1776406344185;
        Thu, 16 Apr 2026 23:12:24 -0700 (PDT)
Received: from localhost.localdomain ([102.244.98.124])
        by smtp.gmail.com with ESMTPSA id
 a1e0cc1a2514c-9589093a8bbsm297947241.3.2026.04.16.23.12.17
        (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256);
        Thu, 16 Apr 2026 23:12:23 -0700 (PDT)
From: Delene Tchio Romuald <delenetchior1@gmail.com>
To: gregkh@linuxfoundation.org
Cc: error27@gmail.com,
	luka.gejak@linux.dev,
	hansg@kernel.org,
	linux-staging@lists.linux.dev,
	linux-kernel@vger.kernel.org,
	stable@vger.kernel.org,
	Delene Tchio Romuald <delenetchior1@gmail.com>
Subject: [PATCH v6 3/5] staging: rtl8723bs: fix out-of-bounds read in
 portctrl()
Date: Fri, 17 Apr 2026 07:10:46 +0100
Message-ID: <20260417061048.62484-4-delenetchior1@gmail.com>
X-Mailer: git-send-email 2.43.0
In-Reply-To: <20260417061048.62484-1-delenetchior1@gmail.com>
References: <20260417061048.62484-1-delenetchior1@gmail.com>
Precedence: bulk
X-Mailing-List: linux-kernel@vger.kernel.org
List-Id: <linux-kernel.vger.kernel.org>
List-Subscribe: <mailto:linux-kernel+subscribe@vger.kernel.org>
List-Unsubscribe: <mailto:linux-kernel+unsubscribe@vger.kernel.org>
MIME-Version: 1.0
Content-Transfer-Encoding: quoted-printable
Content-Type: text/plain; charset="utf-8"

In portctrl(), when 802.1X port control is enabled and a non-EAPOL
frame is received, the ether_type is read from the LLC header
without verifying that the frame actually contains enough bytes to
hold the MAC header, IV and the LLC header plus two bytes of
ether_type. For sufficiently short frames, the memcpy() that loads
be_tmp reads past the end of the receive buffer.

An attacker within WiFi radio range can exploit this by sending a
crafted short frame. No authentication is required.

Validate the frame length before dereferencing the LLC header; drop
the frame if it is too short.

Found by reviewing length validation in the receive path.
Not tested on hardware.

Fixes: 554c0a3abf216 ("staging: Add rtl8723bs sdio wifi driver")
Cc: stable@vger.kernel.org
Signed-off-by: Delene Tchio Romuald <delenetchior1@gmail.com>
Reviewed-by: Dan Carpenter <error27@gmail.com>
Reviewed-by: Luka Gejak <luka.gejak@linux.dev>
---
v6: drop the unrelated cleanups (ptr =3D ptr + X -> ptr +=3D X,
    ether_type inversion into direct return NULL); the patch
    now only adds the short-frame length check before
    dereferencing the LLC header (Dan Carpenter).
v5: return NULL directly on the short-frame and non-EAPOL
    error paths (Dan Carpenter).
v4: add Fixes: tag and Cc: stable (Dan Carpenter).
v3: rebased on staging-next; sent as numbered series with
    proper Cc from get_maintainer.pl.
v2: rebased on staging-next (v1 was based on v7.0-rc6 and
    did not apply).

 drivers/staging/rtl8723bs/core/rtw_recv.c | 8 ++++++++
 1 file changed, 8 insertions(+)

diff --git a/drivers/staging/rtl8723bs/core/rtw_recv.c b/drivers/staging/rt=
l8723bs/core/rtw_recv.c
index e30617875a69d..b476f7a03a234 100644
--- a/drivers/staging/rtl8723bs/core/rtw_recv.c
+++ b/drivers/staging/rtl8723bs/core/rtw_recv.c
@@ -539,6 +539,14 @@ static union recv_frame *portctrl(struct adapter *adap=
ter, union recv_frame *pre
=20
 			prtnframe =3D precv_frame;
=20
+			/* Ensure frame has LLC header and ether_type */
+			if (pfhdr->len < pattrib->hdrlen +
+			    pattrib->iv_len + LLC_HEADER_LENGTH + 2) {
+				rtw_free_recvframe(precv_frame,
+						   &adapter->recvpriv.free_recv_queue);
+				return NULL;
+			}
+
 			/* get ether_type */
 			ptr =3D ptr + pfhdr->attrib.hdrlen + pfhdr->attrib.iv_len + LLC_HEADER_=
LENGTH;
 			memcpy(&be_tmp, ptr, 2);
--=20
2.43.0
From nobody Tue Jun 16 03:46:19 2026
Received: from mail-vs1-f46.google.com (mail-vs1-f46.google.com
 [209.85.217.46])
	(using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits))
	(No client certificate requested)
	by smtp.subspace.kernel.org (Postfix) with ESMTPS id 5E861371068
	for <linux-kernel@vger.kernel.org>; Fri, 17 Apr 2026 06:12:30 +0000 (UTC)
Authentication-Results: smtp.subspace.kernel.org;
 arc=none smtp.client-ip=209.85.217.46
ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116;
	t=1776406351; cv=none;
 b=RaHypBMUPm1d/kwHUaP4DclB26+81CVyNg0TniZWGvVHhglnh6dno4+HTs518kPzm7BFvNx91cwsONPw3lFO0+MDU/7cx+GAn6KGxWBpkA3bVYL2gqNTgqEdd5h3oKX0qM2aum4z1UulzaNptoD2B6HHom3+Cc+0Ae9+KfqPDAI=
ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org;
	s=arc-20240116; t=1776406351; c=relaxed/simple;
	bh=383DPhuBRF2QD41DluR/ZrbwJ45uuKmVigIRiLoVWL0=;
	h=From:To:Cc:Subject:Date:Message-ID:In-Reply-To:References:
	 MIME-Version;
 b=Odlr8b1AgFbFp/U60Vayy1SnE6Qt3xFzYdxvqlovk76Pv7hR2kdhhdKgH35i0qBC13DT/zPJL/ZJpT1nWbpCX/MNqW/E+66E7pS7gS1Echd7ZlRglzAwDhTUauaV7/N2rJsETBi2JNL3A21gu7BSPa8Acvi/uTrjDPjXjSl6ew4=
ARC-Authentication-Results: i=1; smtp.subspace.kernel.org;
 dmarc=pass (p=none dis=none) header.from=gmail.com;
 spf=pass smtp.mailfrom=gmail.com;
 dkim=pass (2048-bit key) header.d=gmail.com header.i=@gmail.com
 header.b=DTZcv+lw; arc=none smtp.client-ip=209.85.217.46
Authentication-Results: smtp.subspace.kernel.org;
 dmarc=pass (p=none dis=none) header.from=gmail.com
Authentication-Results: smtp.subspace.kernel.org;
 spf=pass smtp.mailfrom=gmail.com
Authentication-Results: smtp.subspace.kernel.org;
	dkim=pass (2048-bit key) header.d=gmail.com header.i=@gmail.com
 header.b="DTZcv+lw"
Received: by mail-vs1-f46.google.com with SMTP id
 ada2fe7eead31-5ff05af29b4so98882137.1
        for <linux-kernel@vger.kernel.org>;
 Thu, 16 Apr 2026 23:12:30 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=gmail.com; s=20251104; t=1776406349; x=1777011149;
 darn=vger.kernel.org;
        h=content-transfer-encoding:mime-version:references:in-reply-to
         :message-id:date:subject:cc:to:from:from:to:cc:subject:date
         :message-id:reply-to;
        bh=9SwebIuwdOWzOTm6KMf4wXBgHNPaHunXqUFUotpGec4=;
        b=DTZcv+lwfi0a6pViIFroMHD6x3u2VAbsDPsxeUW4Dda2pOtCdh2WO95LkC3m+/cYA/
         /QqbxXcxUml3CztMm5gMtsQOt694NfDCq2ByhckeXvt2bjHmr7hDwjVR9dlnrCjnlElp
         1uO+6kaqh3LO+GluztVu+nzOiDut6sTX9AWaeOxMRXECVBhEy0o/EGa0BACTUkM+qXP2
         0Umqv/LLV1pg5BIrx/XFPzvCZ7GX8wtBLFjhZYFDED2AGHqhEQ0zcvaRi+vSWkODrPXi
         IL7mrhfwH/g1UHcRDW1tIslumaN5ZuZ+7Fotjc0PbwYU03Ez3h0cyFFz0LGnIiMdeHLv
         mgrQ==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=1e100.net; s=20251104; t=1776406349; x=1777011149;
        h=content-transfer-encoding:mime-version:references:in-reply-to
         :message-id:date:subject:cc:to:from:x-gm-gg:x-gm-message-state:from
         :to:cc:subject:date:message-id:reply-to;
        bh=9SwebIuwdOWzOTm6KMf4wXBgHNPaHunXqUFUotpGec4=;
        b=rToIqiPKLyWstYuXvdb4J+xYayoAvhtp4MD7AYCesn512JlH5Vjg2Rf+PMj3VV/Aah
         VgtW1Y1FTYJRwpPXlNk3H84zjIovC4qs4rDunE9ZASKYa0pOaucitQ0kn2/xRq4i00I7
         7iCG0GLzcEXvjU0uoj/QVS6h56Jo4mb9ODiVYpmZ0pH2D8ArDmt2KLdxF6feFpo/Pil4
         3Pjkvc9u/Rtn8DXmRGECkscYmWfCHIEXULzZEpauLU5QxGAYm3B3+VWHcYpoepaXix2g
         0rsQqsIv8ZAHjrMY6rOvZsV9VrYQEGTG4osSJU1+G5l4lVn00ZbMPhclrKB6Nghrmtba
         1uVQ==
X-Forwarded-Encrypted: i=1;
 AFNElJ/Z4K55KqLbDPpO6n+m+Kt+rKVQKURgmkThRRKhQIzoJAD66/BY75rCZC7WDWq4Dpk4ds9okyWtkNSKVk0=@vger.kernel.org
X-Gm-Message-State: AOJu0Yxr5mvUm7+QLmmqSMPLsNb7GZgOWKPbDRGOh5/WKDl3tLZKpOW3
	Z9j7sUk61Bvd9T5Qy0kTn8mewHeftIbTN4qCZC1QItVI5aYjbO9L9BvM
X-Gm-Gg: AeBDiesolnmSN7hNf9PBUiSy+M3kczdAC+N+GfPRc+D5Dr50G0knKOAUU69Dw1nyTHK
	YVaMPaQF0PuyK/4XHleAZ2rdt7fRIF1PbiMTNmqvwBi+WGmYHIGYKzYzykkgiWC21GsVBsth3oC
	w4eyyVcSrSuvGwX3gNTOYHnE1pWaFjEr07WyDKn/hMDYqeii+IF8fhQVz1ZORyvY91NjoVvrwZr
	LfENENe+8vwkrd1jaT7iZTU+rJ0lfWHvtjs329fQjJD1qLoTOEibSAfHpssIFtlg3bCqAqdPh8y
	JR5MvgDDiHIj/2/9nGhUn2ofwsrjj3fWrQ7g9lzOgU/aqoWb4E0Klhi2epWcud3AGR+FCcQ/0ae
	95wxH6gdR5cZtx1HRnrF7U6ClZkTYJN/vWQAgcs6byonC4u/LayIsQnyIwcX9ks3XorhnliYo9A
	Hs5eP2HpfZbGXllb3+KrzITVXBHar71S4uHortJntQ5RJ5cMyWE7ifvd5GpkmLI9E=
X-Received: by 2002:a05:6102:2ad3:b0:605:b96a:a0d4 with SMTP id
 ada2fe7eead31-616f8fdbdbdmr504002137.27.1776406349142;
        Thu, 16 Apr 2026 23:12:29 -0700 (PDT)
Received: from localhost.localdomain ([102.244.98.124])
        by smtp.gmail.com with ESMTPSA id
 a1e0cc1a2514c-9589093a8bbsm297947241.3.2026.04.16.23.12.24
        (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256);
        Thu, 16 Apr 2026 23:12:28 -0700 (PDT)
From: Delene Tchio Romuald <delenetchior1@gmail.com>
To: gregkh@linuxfoundation.org
Cc: error27@gmail.com,
	luka.gejak@linux.dev,
	hansg@kernel.org,
	linux-staging@lists.linux.dev,
	linux-kernel@vger.kernel.org,
	stable@vger.kernel.org,
	Delene Tchio Romuald <delenetchior1@gmail.com>
Subject: [PATCH v6 4/5] staging: rtl8723bs: fix out-of-bounds reads in IE
 parsing functions
Date: Fri, 17 Apr 2026 07:10:47 +0100
Message-ID: <20260417061048.62484-5-delenetchior1@gmail.com>
X-Mailer: git-send-email 2.43.0
In-Reply-To: <20260417061048.62484-1-delenetchior1@gmail.com>
References: <20260417061048.62484-1-delenetchior1@gmail.com>
Precedence: bulk
X-Mailing-List: linux-kernel@vger.kernel.org
List-Id: <linux-kernel.vger.kernel.org>
List-Subscribe: <mailto:linux-kernel+subscribe@vger.kernel.org>
List-Unsubscribe: <mailto:linux-kernel+unsubscribe@vger.kernel.org>
MIME-Version: 1.0
Content-Transfer-Encoding: quoted-printable
Content-Type: text/plain; charset="utf-8"

rtw_get_wapi_ie(), rtw_get_sec_ie() and rtw_get_wps_ie() walk a
buffer of Information Elements using the TLV length field without
first verifying that the length byte itself is inside the buffer,
and without verifying that the specific bytes dereferenced by the
subsequent memcmp() calls fit inside the declared element.

An attacker within WiFi radio range can exploit this by sending
crafted beacon or probe-response frames carrying truncated or
oversized IEs. No authentication is required.

Ensure the length byte is inside the buffer (cnt + 1 < in_len),
break out of the loop if the declared element length would read
past in_len, and before each memcmp() verify that the offsets it
touches are inside the buffer: cnt + 10 for the WAPI OUI compared
at offset 6, and cnt + 6 for the WPA/WPS OUIs compared at offset 2.

Found by reviewing bounds checks in IE walkers.
Not tested on hardware.

Fixes: 554c0a3abf216 ("staging: Add rtl8723bs sdio wifi driver")
Cc: stable@vger.kernel.org
Signed-off-by: Delene Tchio Romuald <delenetchior1@gmail.com>
Reviewed-by: Dan Carpenter <error27@gmail.com>
Reviewed-by: Luka Gejak <luka.gejak@linux.dev>
---
v6: unchanged.
v5: add an inner bound check before each memcmp() so that
    the OUI read at offset 6 (WAPI) or offset 2 (WPA/WPS)
    stays inside the declared element (Dan Carpenter).
v4: add Fixes: tag and Cc: stable (Dan Carpenter).
v3: rebased on staging-next; sent as numbered series with
    proper Cc from get_maintainer.pl.
v2: rebased on staging-next (v1 was based on v7.0-rc6 and
    did not apply).

 .../staging/rtl8723bs/core/rtw_ieee80211.c    | 70 +++++++++++++------
 1 file changed, 47 insertions(+), 23 deletions(-)

diff --git a/drivers/staging/rtl8723bs/core/rtw_ieee80211.c b/drivers/stagi=
ng/rtl8723bs/core/rtw_ieee80211.c
index 72b7f731dd471..1b61879acb48e 100644
--- a/drivers/staging/rtl8723bs/core/rtw_ieee80211.c
+++ b/drivers/staging/rtl8723bs/core/rtw_ieee80211.c
@@ -582,18 +582,25 @@ int rtw_get_wapi_ie(u8 *in_ie, uint in_len, u8 *wapi_=
ie, u16 *wapi_len)
=20
 	cnt =3D (_TIMESTAMP_ + _BEACON_ITERVAL_ + _CAPABILITY_);
=20
-	while (cnt < in_len) {
+	while (cnt + 1 < in_len) {
 		authmode =3D in_ie[cnt];
=20
-		if (authmode =3D=3D WLAN_EID_BSS_AC_ACCESS_DELAY &&
-		    (!memcmp(&in_ie[cnt + 6], wapi_oui1, 4) ||
-		     !memcmp(&in_ie[cnt + 6], wapi_oui2, 4))) {
-			if (wapi_ie)
-				memcpy(wapi_ie, &in_ie[cnt], in_ie[cnt + 1] + 2);
+		if (cnt + 2 + in_ie[cnt + 1] > in_len)
+			break;
+
+		if (authmode =3D=3D WLAN_EID_BSS_AC_ACCESS_DELAY) {
+			if (cnt + 10 > in_len)
+				break;
=20
-			if (wapi_len)
-				*wapi_len =3D in_ie[cnt + 1] + 2;
+			if (!memcmp(&in_ie[cnt + 6], wapi_oui1, 4) ||
+			    !memcmp(&in_ie[cnt + 6], wapi_oui2, 4)) {
+				if (wapi_ie)
+					memcpy(wapi_ie, &in_ie[cnt],
+					       in_ie[cnt + 1] + 2);
=20
+				if (wapi_len)
+					*wapi_len =3D in_ie[cnt + 1] + 2;
+			}
 		}
=20
 		cnt +=3D in_ie[cnt + 1] + 2;   /* get next */
@@ -615,15 +622,23 @@ void rtw_get_sec_ie(u8 *in_ie, uint in_len, u8 *rsn_i=
e, u16 *rsn_len, u8 *wpa_ie
=20
 	cnt =3D (_TIMESTAMP_ + _BEACON_ITERVAL_ + _CAPABILITY_);
=20
-	while (cnt < in_len) {
+	while (cnt + 1 < in_len) {
 		authmode =3D in_ie[cnt];
=20
-		if ((authmode =3D=3D WLAN_EID_VENDOR_SPECIFIC) &&
-		    (!memcmp(&in_ie[cnt + 2], &wpa_oui[0], 4))) {
-			if (wpa_ie)
-				memcpy(wpa_ie, &in_ie[cnt], in_ie[cnt + 1] + 2);
+		if (cnt + 2 + in_ie[cnt + 1] > in_len)
+			break;
+
+		if (authmode =3D=3D WLAN_EID_VENDOR_SPECIFIC) {
+			if (cnt + 6 > in_len)
+				break;
+
+			if (!memcmp(&in_ie[cnt + 2], &wpa_oui[0], 4)) {
+				if (wpa_ie)
+					memcpy(wpa_ie, &in_ie[cnt],
+					       in_ie[cnt + 1] + 2);
=20
-			*wpa_len =3D in_ie[cnt + 1] + 2;
+				*wpa_len =3D in_ie[cnt + 1] + 2;
+			}
 		} else if (authmode =3D=3D WLAN_EID_RSN) {
 			if (rsn_ie)
 				memcpy(rsn_ie, &in_ie[cnt], in_ie[cnt + 1] + 2);
@@ -658,21 +673,30 @@ u8 *rtw_get_wps_ie(u8 *in_ie, uint in_len, u8 *wps_ie=
, uint *wps_ielen)
=20
 	cnt =3D 0;
=20
-	while (cnt < in_len) {
+	while (cnt + 1 < in_len) {
 		eid =3D in_ie[cnt];
=20
-		if ((eid =3D=3D WLAN_EID_VENDOR_SPECIFIC) && (!memcmp(&in_ie[cnt + 2], w=
ps_oui, 4))) {
-			wpsie_ptr =3D &in_ie[cnt];
+		if (cnt + 2 + in_ie[cnt + 1] > in_len)
+			break;
=20
-			if (wps_ie)
-				memcpy(wps_ie, &in_ie[cnt], in_ie[cnt + 1] + 2);
+		if (eid =3D=3D WLAN_EID_VENDOR_SPECIFIC) {
+			if (cnt + 6 > in_len)
+				break;
=20
-			if (wps_ielen)
-				*wps_ielen =3D in_ie[cnt + 1] + 2;
+			if (!memcmp(&in_ie[cnt + 2], wps_oui, 4)) {
+				wpsie_ptr =3D &in_ie[cnt];
=20
-			cnt +=3D in_ie[cnt + 1] + 2;
+				if (wps_ie)
+					memcpy(wps_ie, &in_ie[cnt],
+					       in_ie[cnt + 1] + 2);
=20
-			break;
+				if (wps_ielen)
+					*wps_ielen =3D in_ie[cnt + 1] + 2;
+
+				cnt +=3D in_ie[cnt + 1] + 2;
+
+				break;
+			}
 		}
 		cnt +=3D in_ie[cnt + 1] + 2; /* goto next */
 	}
--=20
2.43.0
From nobody Tue Jun 16 03:46:19 2026
Received: from mail-vs1-f50.google.com (mail-vs1-f50.google.com
 [209.85.217.50])
	(using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits))
	(No client certificate requested)
	by smtp.subspace.kernel.org (Postfix) with ESMTPS id 23F7F36920F
	for <linux-kernel@vger.kernel.org>; Fri, 17 Apr 2026 06:12:39 +0000 (UTC)
Authentication-Results: smtp.subspace.kernel.org;
 arc=none smtp.client-ip=209.85.217.50
ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116;
	t=1776406360; cv=none;
 b=V9r0ie4Ifuk7KYBcIFf/Uz0VBdJM5U/Yp9zBg+DnWEHlQFUxmlFzryjeUue+DrTaCkCkeIpeE+dRhzaMx6/6i5dio/GGlFM1BnrHj0n4jLz7ELTGeGiHRaSQTCOfL07kLGXOZViR2CY73WczdeI9DzrkSBwKjVGp7zVP0wTAwUM=
ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org;
	s=arc-20240116; t=1776406360; c=relaxed/simple;
	bh=Mkn9VdUMU/TvZ8JqVerjm7KuO8HxezoafwaUYXwJEtE=;
	h=From:To:Cc:Subject:Date:Message-ID:In-Reply-To:References:
	 MIME-Version;
 b=FmmBlzGtCK0xf9a/cmBxLOEOA86wdQed9TJ2VaCWZD4oSMMtDB6qcJ5p3qv8RupZpJZJJ4H6VRtQK4CwiWog3hGCtHTE0+hiOevhIhLdwNol5c9Mm0BjgEqJ9f9OkZQbTb1MEZn2qjlFfSjufcQES+lAyS+JXla2UAfcYBf22II=
ARC-Authentication-Results: i=1; smtp.subspace.kernel.org;
 dmarc=pass (p=none dis=none) header.from=gmail.com;
 spf=pass smtp.mailfrom=gmail.com;
 dkim=pass (2048-bit key) header.d=gmail.com header.i=@gmail.com
 header.b=sPoEolU6; arc=none smtp.client-ip=209.85.217.50
Authentication-Results: smtp.subspace.kernel.org;
 dmarc=pass (p=none dis=none) header.from=gmail.com
Authentication-Results: smtp.subspace.kernel.org;
 spf=pass smtp.mailfrom=gmail.com
Authentication-Results: smtp.subspace.kernel.org;
	dkim=pass (2048-bit key) header.d=gmail.com header.i=@gmail.com
 header.b="sPoEolU6"
Received: by mail-vs1-f50.google.com with SMTP id
 ada2fe7eead31-610aadb2d9fso84216137.0
        for <linux-kernel@vger.kernel.org>;
 Thu, 16 Apr 2026 23:12:39 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=gmail.com; s=20251104; t=1776406358; x=1777011158;
 darn=vger.kernel.org;
        h=content-transfer-encoding:mime-version:references:in-reply-to
         :message-id:date:subject:cc:to:from:from:to:cc:subject:date
         :message-id:reply-to;
        bh=chi0rjV8j6xNxAz/qcwmHJNYbKqeX24uRogPLx+nbHQ=;
        b=sPoEolU6BuGWGmhU+V04B2Ir8TG6k1/TqAYP4ENAflbuDjym/NM8KspYD2ZkrPBXeJ
         kGujltRbmj/gSaFaTN3wh63FwLr0ZfvCKRujLR5X71O1nmVWfc+nV7cRPtAp395xNdFp
         YSVcYokYyFlzDH7izxvO+4S2twu0lIglTrOZcKkN3g2KwCR7vANRK4Dqqm6cJxzjTSzD
         ne78wSKFK9SHNPOaneTU/VYevEVtGPWPqp3a7PbCnmeSPxMQMWx8ItxpVjE5X+E1LWOh
         yw74YEEPK9eY2qq3GW4N10Yez6vl9zwe4z8rW/9vj2UXdIFhzDsegp9WZF44qM9fO/iL
         frRg==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=1e100.net; s=20251104; t=1776406358; x=1777011158;
        h=content-transfer-encoding:mime-version:references:in-reply-to
         :message-id:date:subject:cc:to:from:x-gm-gg:x-gm-message-state:from
         :to:cc:subject:date:message-id:reply-to;
        bh=chi0rjV8j6xNxAz/qcwmHJNYbKqeX24uRogPLx+nbHQ=;
        b=tXza7+GZF8hVosBNP+befFuE3mpC/7oS+N2AR82p/DT0KPGmu9Xzeaok7qE+QpPnAG
         afVTFIhKD0bod2HANXXUvJOUm5cpKkFcN/aCXRjqRqj4P20YZZa+U4B1Hz2qQEU884vx
         v0uGBMB9jKsfiWPXo4KwRbQ3jqzZACSWEWs8DyKB0sbZazOjGvDsQ/Ea878L6NpDwgLR
         S3D/10nK6B45RYGyrtlJcz+CxaJfMXkK1/hFt2YH0GgoPSc/oT2buCYrxIDioWJUfYFh
         /YbnTVIHz1luezIzpzQ3HwMaoiI+BB96ZgWh2EFEpZqRQ0DpDVJJHLhXh5D+yTX6NgKi
         Yegw==
X-Forwarded-Encrypted: i=1;
 AFNElJ8PovVC2xYGeiFSit7PgqwWQx4a06HAAhw0eyzh386etpipqcqNRj2dgcLf8hRbfUQXheuNTmrCGyNzrSw=@vger.kernel.org
X-Gm-Message-State: AOJu0YyCfS9rNjwfMaQ5cBuHv/+YHMDK2ehdc/T0dP/Ilup/KsQPI+hO
	wNW5owJDJiVkMOYpR36CiIqXOTIQ5xqYsmwbpZnybK0C/EtlJseVw6H9
X-Gm-Gg: AeBDieszp6A8AJaK80mkPTtC0UY9CS1IJLRdm5Ys9L3A99REhMuq0Yuzz5zA3VqZyiJ
	TbSscIXTGfZvP68RcJLsPKQYUuw48mRh7vvpWSl3QL/k62ve8b1rGk8E7BL87+OGy96lOLUfGmo
	3gf244sasIjMjyl1UWKKWs31LOy8nDh0Aikx1UOaFkUz6a4Hi5PBn/ig/NTrSVia7RJMvvh2fy+
	5e+JYbh8YyG80dJaX/Ipfz9fdp920Tku0jiKvIFpqAys8sED+0zBUBZ5h9fJRQXkHlR32Nwe3we
	d+warAJz/L+smAWG+Feh007Iod2eQDBWFgpdpG798NmkHv8Yvy8OKh33XB5eNJFPUJq8Rwqh+IT
	F9ySgfiJ86BhnUdyU7iueRVJswVEWYtaNtUESaHHOF9jkNxAnABmvNuNi+PpzVVwHsi2lbeXmoa
	NFHMpQp9+wLjCR0cJEDVIBQfsm4NWpsemYH87ZEYXbowxxhz+WLfWfY/iuvnfHqio=
X-Received: by 2002:a05:6102:5122:b0:608:759a:53bc with SMTP id
 ada2fe7eead31-616f1c595b4mr526551137.0.1776406358162;
        Thu, 16 Apr 2026 23:12:38 -0700 (PDT)
Received: from localhost.localdomain ([102.244.98.124])
        by smtp.gmail.com with ESMTPSA id
 a1e0cc1a2514c-9589093a8bbsm297947241.3.2026.04.16.23.12.30
        (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256);
        Thu, 16 Apr 2026 23:12:37 -0700 (PDT)
From: Delene Tchio Romuald <delenetchior1@gmail.com>
To: gregkh@linuxfoundation.org
Cc: error27@gmail.com,
	luka.gejak@linux.dev,
	hansg@kernel.org,
	linux-staging@lists.linux.dev,
	linux-kernel@vger.kernel.org,
	stable@vger.kernel.org,
	Delene Tchio Romuald <delenetchior1@gmail.com>
Subject: [PATCH v6 5/5] staging: rtl8723bs: fix negative length in WEP
 decryption
Date: Fri, 17 Apr 2026 07:10:48 +0100
Message-ID: <20260417061048.62484-6-delenetchior1@gmail.com>
X-Mailer: git-send-email 2.43.0
In-Reply-To: <20260417061048.62484-1-delenetchior1@gmail.com>
References: <20260417061048.62484-1-delenetchior1@gmail.com>
Precedence: bulk
X-Mailing-List: linux-kernel@vger.kernel.org
List-Id: <linux-kernel.vger.kernel.org>
List-Subscribe: <mailto:linux-kernel+subscribe@vger.kernel.org>
List-Unsubscribe: <mailto:linux-kernel+unsubscribe@vger.kernel.org>
MIME-Version: 1.0
Content-Transfer-Encoding: quoted-printable
Content-Type: text/plain; charset="utf-8"

In rtw_wep_decrypt(), the payload length is computed as:

    length =3D frame->len - prxattrib->hdrlen - prxattrib->iv_len;

All operands are unsigned. If the frame is shorter than the sum of
the header length, IV length and the 4-byte ICV, this subtraction
wraps around or produces a value smaller than 4; the subsequent
crc32_le(~0, payload, length - 4) call then wraps length - 4 to a
huge value and reads past the end of the receive buffer.

An attacker within WiFi radio range can exploit this by sending a
crafted short WEP-encrypted frame. No authentication is required.

Validate that the frame is large enough to contain at least the
4-byte ICV on top of the header and IV before computing length.

Found by reviewing length arithmetic in the WEP decrypt path.
Not tested on hardware.

Fixes: 554c0a3abf216 ("staging: Add rtl8723bs sdio wifi driver")
Cc: stable@vger.kernel.org
Signed-off-by: Delene Tchio Romuald <delenetchior1@gmail.com>
Reviewed-by: Dan Carpenter <error27@gmail.com>
Reviewed-by: Luka Gejak <luka.gejak@linux.dev>
---
v6: unchanged.
v5: tighten the length check to also cover the 4-byte ICV
    so that the subsequent crc32_le(payload, length - 4)
    call cannot underflow length - 4.
v4: add Fixes: tag and Cc: stable (Dan Carpenter).
v3: rebased on staging-next; sent as numbered series with
    proper Cc from get_maintainer.pl.
v2: rebased on staging-next (v1 was based on v7.0-rc6 and
    did not apply).

 drivers/staging/rtl8723bs/core/rtw_security.c | 6 ++++++
 1 file changed, 6 insertions(+)

diff --git a/drivers/staging/rtl8723bs/core/rtw_security.c b/drivers/stagin=
g/rtl8723bs/core/rtw_security.c
index a00504ff29109..ddd6ed2245035 100644
--- a/drivers/staging/rtl8723bs/core/rtw_security.c
+++ b/drivers/staging/rtl8723bs/core/rtw_security.c
@@ -113,6 +113,12 @@ void rtw_wep_decrypt(struct adapter  *padapter, u8 *pr=
ecvframe)
 		memcpy(&wepkey[0], iv, 3);
 		/* memcpy(&wepkey[3], &psecuritypriv->dot11DefKey[psecuritypriv->dot11Pr=
ivacyKeyIndex].skey[0], keylength); */
 		memcpy(&wepkey[3], &psecuritypriv->dot11DefKey[keyindex].skey[0], keylen=
gth);
+
+		/* Ensure the frame is long enough for WEP payload and ICV */
+		if (((union recv_frame *)precvframe)->u.hdr.len <
+		    prxattrib->hdrlen + prxattrib->iv_len + 4)
+			return;
+
 		length =3D ((union recv_frame *)precvframe)->u.hdr.len - prxattrib->hdrl=
en - prxattrib->iv_len;
=20
 		payload =3D pframe + prxattrib->iv_len + prxattrib->hdrlen;
--=20
2.43.0