From nobody Fri Jun 19 08:18:47 2026 Received: from mail-wm1-f44.google.com (mail-wm1-f44.google.com [209.85.128.44]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id EB8613115AF for ; Sun, 26 Apr 2026 09:53:43 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=209.85.128.44 ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1777197225; cv=none; b=IU+R1kAiijzyi5H9SOwZXy9DFd/1CXBWVdIN5mAfhfV4ZxAWRX0yHpI7vOU+prGK2d3LuYQQxpjVCvHJ+F4Vjqk4/5fLAD8jnWvsO9B3EkpwXbaz1SBIl4TptYzxMwm/elTcNhDwZSlPV7jPcpfZdfAtS55OqxrQgDyT6CwXk+I= ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1777197225; c=relaxed/simple; bh=+lVpKE1QZRQEXC1moT5U4HACD2SU7kfRqYwDGYNL1hI=; h=From:To:Cc:Subject:Date:Message-ID:In-Reply-To:References: MIME-Version; b=gzQ4wdPvwv1IrC07nk3e83vDVYhruCWG0BJImFLF/FXS0vB5vAoWdmKQ3gxKtj5Uuk0T4uzJ7eJUL23DZhnizU88V2NIkVHJVJzUGviZBzrBPHCWUJDmBz74KRGEPzLFZnL6TTsf4OZ4qlt5jxygLqtCkpvRS7johGxH++eW+Qc= ARC-Authentication-Results: i=1; smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=gmail.com; spf=pass smtp.mailfrom=gmail.com; dkim=pass (2048-bit key) header.d=gmail.com header.i=@gmail.com header.b=KzwMBrhi; arc=none smtp.client-ip=209.85.128.44 Authentication-Results: smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=gmail.com Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=gmail.com Authentication-Results: smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=gmail.com header.i=@gmail.com header.b="KzwMBrhi" Received: by mail-wm1-f44.google.com with SMTP id 5b1f17b1804b1-48984d29fe3so107874525e9.0 for ; Sun, 26 Apr 2026 02:53:43 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20251104; t=1777197222; x=1777802022; darn=vger.kernel.org; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:from:to:cc:subject:date :message-id:reply-to; bh=Z/fYK6c5kDEhdCDlXgzeFxfmv5jZ0y6gLmyPk2OsiLQ=; b=KzwMBrhiSmPdaXSuA8EImOtNQGQMb3GqSRFFuLcOxHCHLtHesWVR1XYywurw2f69Np 4sOeH5xq6cyAovOxqw8v7ra996v/tXmtVQetuP6N4ZWtzNmSArW4fpTY6+KEwqEl9AIq 8UPUXG1rPE2QCqtL7e+J32heM+pHsRQLpjh4zOYhbKjiiA3vrm8xycMnenYcTX1nfs65 UVVR4d/BxvU6F+18irocrFve0GKfoInPDBo0jKSqKLgC/ea96TpFKSbLSeacOgeQ+sBd HdtR4bFRQAOomD9j25t6YflePJa/EvWoUTD3UkSb5lPr7S7kkW7AZ1oZdZNTIw3wVyqp sYbA== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20251104; t=1777197222; x=1777802022; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:x-gm-gg:x-gm-message-state:from :to:cc:subject:date:message-id:reply-to; bh=Z/fYK6c5kDEhdCDlXgzeFxfmv5jZ0y6gLmyPk2OsiLQ=; b=NDMdOYA4mjYFOYr+VlcAoyqGywyBJPoTUXmiz1Cisp5B6nsbvSHo8OzvsrHovUsUzk giqMJ0x/hBU0hTkyt0YjMKuXHKuT8Ugv97oFIfiZ5RQZ2YRQ8p/nrslV2PPevl7ZDEKv GfRfX098qt5iHhBznAO6gaxzRXtif5+ivb3zdNXPVJPUCJ6f4aEAsPYDC7mFToxIAru+ iIugD8BjN94x8aZXe4BeBObTg9x22LS0KXX81LYn+MpseCJKN5UXBIH7jZ9YTbPwEI13 9dF9ThBfo1zZZ3dWsKem5YHFcxBf/naBMxAsgNyjwmnw3tjqxHge9DYvd+bVcYugYubU u5cg== X-Forwarded-Encrypted: i=1; AFNElJ+YhQI9IDQf+74c5V+33Ged7oMd+fZh0bKbh56CdlEc26IQ9GSBSdnjGKv4Jv7PCu1ONPtZUPoKtOPVQeQ=@vger.kernel.org X-Gm-Message-State: AOJu0YzDTDiIohUR5j13tDVFk1yDxzZ9oxSdf2ugxxyzn//v0mBDsA7c bz3mkyUx9MiU5hcRb4SJsRLgZepSZvL75ppxnJJYmDKflJqkKkMltAoswLGMZQ== X-Gm-Gg: AeBDietsz3sM5gy4R6z9ZVwI+Ydvp3DvI3bsO9MGQ0E4yK2euo9hNMTQQ6Y9pxkMVZD SW6X94Sb3HvN1iBufJVskrkLP7KPq4ImaG30M4HESSfmQNWzcNZtcfjuvDKcJ3GeXqelycwpTbr M5UjPnfJA0EM99VxOHg0OLRS25eILfQt7oKk2/hgsr66X5Qn8BuK99cpKif0yqXSsaRs8wQRU6R 0FFLg2CKUguhqRCXRVHWWRwNcwUXBGpNNF14pgjZkcmr522Xyhf2oEoGgIfxdPzmIgA5k0Uk52E 0ravipcLzwZyLpmETOlDqtiLltguAVsY6Z6LU8OGtmvhSFO56cVf6vbzDM6++nmK8BDsz/yP2zJ bRV86RndY4WbJo0WyFMfjU8lU4Yk6mMm3TEys1sT3t8xgru1cAfF0lZlYAnIO4dXl8RC4+yHlo9 JnGh6anBSwLQ6e7dnfVIPzXyVCXN3T+EvTB21bnjAbwEK++pwEcJKxnxlLSnz9lxjYXOhXAQZKR 3IGElrjMU1YAl3SUYtNohfFv+zbti95q+Da/XCd0pM3DWk4CMb59OXwfJNjikFDEZ1fO7c= X-Received: by 2002:a05:600c:3553:b0:48a:52f2:a0f1 with SMTP id 5b1f17b1804b1-48a52f2a5f0mr354235405e9.18.1777197222401; Sun, 26 Apr 2026 02:53:42 -0700 (PDT) Received: from ahossu.localdomain ([82.78.232.184]) by smtp.gmail.com with ESMTPSA id 5b1f17b1804b1-488fb735d3dsm510905405e9.2.2026.04.26.02.53.40 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Sun, 26 Apr 2026 02:53:41 -0700 (PDT) From: Alexandru Hossu To: gregkh@linuxfoundation.org Cc: dan.carpenter@linaro.org, linux-staging@lists.linux.dev, linux-kernel@vger.kernel.org, luka.gejak@linux.dev, hossu.alexandru@gmail.com Subject: [PATCH v2 1/3] staging: rtl8723bs: fix OOB read in update_beacon_info() IE loop Date: Sun, 26 Apr 2026 11:51:54 +0200 Message-ID: <20260426095156.3523480-2-hossu.alexandru@gmail.com> X-Mailer: git-send-email 2.53.0 In-Reply-To: <20260426095156.3523480-1-hossu.alexandru@gmail.com> References: <20260426095156.3523480-1-hossu.alexandru@gmail.com> Precedence: bulk X-Mailing-List: linux-kernel@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 Content-Transfer-Encoding: quoted-printable Content-Type: text/plain; charset="utf-8" The IE parsing loop in update_beacon_info() advances by (pIE->length + 2) each iteration but only guards on i < len. When a malicious AP sends a Beacon whose last IE has only one byte remaining in the frame (the element_id byte lands at len-1), the loop reads pIE->length from one byte past the allocated receive buffer. Additionally, even when the header bytes are in bounds, pIE->length itself can extend the data window beyond len, passing a truncated IE to the handler functions. Add two guards at the top of the loop body: 1. Break if fewer than sizeof(*pIE) bytes remain (can't read header). 2. Break if the IE's declared data extends past len. Also replace i +=3D (pIE->length + 2) with i +=3D sizeof(*pIE) + pIE->length for consistency with the sizeof(*pIE) guards added above. Signed-off-by: Alexandru Hossu Reviewed-by: Luka Gejak --- v2: Replace i +=3D (pIE->length + 2) with i +=3D sizeof(*pIE) + pIE->length for consistency with the sizeof(*pIE) guards (Dan Carpenter). drivers/staging/rtl8723bs/core/rtw_wlan_util.c | 6 +++++- 1 file changed, 5 insertions(+), 1 deletion(-) diff --git a/drivers/staging/rtl8723bs/core/rtw_wlan_util.c b/drivers/stagi= ng/rtl8723bs/core/rtw_wlan_util.c index 6a7c09db4cd9..e0d73c267786 100644 --- a/drivers/staging/rtl8723bs/core/rtw_wlan_util.c +++ b/drivers/staging/rtl8723bs/core/rtw_wlan_util.c @@ -1289,7 +1289,11 @@ void update_beacon_info(struct adapter *padapter, u8= *pframe, uint pkt_len, stru len =3D pkt_len - (_BEACON_IE_OFFSET_ + WLAN_HDR_A3_LEN); =20 for (i =3D 0; i < len;) { + if (i + sizeof(*pIE) > len) + break; pIE =3D (struct ndis_80211_var_ie *)(pframe + (_BEACON_IE_OFFSET_ + WLAN= _HDR_A3_LEN) + i); + if (i + sizeof(*pIE) + pIE->length > len) + break; =20 switch (pIE->element_id) { case WLAN_EID_VENDOR_SPECIFIC: @@ -1314,7 +1318,7 @@ void update_beacon_info(struct adapter *padapter, u8 = *pframe, uint pkt_len, stru break; } =20 - i +=3D (pIE->length + 2); + i +=3D sizeof(*pIE) + pIE->length; } } =20 --=20 2.53.0 From nobody Fri Jun 19 08:18:47 2026 Received: from mail-wm1-f45.google.com (mail-wm1-f45.google.com [209.85.128.45]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id 856362EC0B0 for ; Sun, 26 Apr 2026 09:53:47 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=209.85.128.45 ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1777197229; cv=none; b=jWrf0A5s5ODbuQKRQRlhJCXoTbg2wfZeT5wlXnafS6790Z4g4hK/KikncKLjHVfQGaYkfxQ1HlbT+l/NvmaRd8IL/18aZfX0piBNud3/e29W7IkDdP7z02jN3lm/d2qh/D0WNrKRAtRHVktwCfKn67Hm9C0nhQt/t/4N3e6CvnE= ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1777197229; c=relaxed/simple; bh=2sxtaXndNMYWtBQX1X/Wg7r7jokctj94Xqx11HqSA04=; h=From:To:Cc:Subject:Date:Message-ID:In-Reply-To:References: MIME-Version; b=KEOH7YKnRY3MySbI5YqZ8+rBV1aHx0rV8nL70tN4xrWOAPJNFsVFvICOZuufRvF0dMDxwtK9mGk/3V+YYYLzAlZIVj71Up70UrIph5R02ew8rvoOgS7xe2jeuBCVDuEm+A7RJkvcRGNDZdEa4cyNFYUQGSvw/U7HibrCamjsFp8= ARC-Authentication-Results: i=1; smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=gmail.com; spf=pass smtp.mailfrom=gmail.com; dkim=pass (2048-bit key) header.d=gmail.com header.i=@gmail.com header.b=i4Sb+qQW; arc=none smtp.client-ip=209.85.128.45 Authentication-Results: smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=gmail.com Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=gmail.com Authentication-Results: smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=gmail.com header.i=@gmail.com header.b="i4Sb+qQW" Received: by mail-wm1-f45.google.com with SMTP id 5b1f17b1804b1-488ba840146so83017265e9.1 for ; Sun, 26 Apr 2026 02:53:47 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20251104; t=1777197226; x=1777802026; darn=vger.kernel.org; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:from:to:cc:subject:date :message-id:reply-to; bh=hXFpiKghA67p9cDwUzweTgUETehBK4YrQbqfbhlykPI=; b=i4Sb+qQW9rJ/OK/FfGk7P415yaG9IKKZnRsdLT191gqAXDPk62CyyWDN1RRhrAUM7n tWerFUgpoMJrHuHTXAMPgrF4ovQZwNjjJH3FUZ7B16uQPjAf274CyuZpnVJKP2pJZtM9 RSR6s+XLnTk5p6Kc1OAry7URSo3118w3HPG/vaYB3XI9zKtvNW2gj5yRo52qGolwnPU6 B7joPevS271yXAduUaHqozymYy0vbDLgZHwH3UyIXtb6njtg7Ch/mwJad+eIRY8bpQpb Ou/y9MuK4JYmZFsRhJcUo9PEaEHWY5GMWOTt3DoxQ5k5W1igkpTUzIuTrWZJhfUyY2BD KXJg== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20251104; t=1777197226; x=1777802026; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:x-gm-gg:x-gm-message-state:from :to:cc:subject:date:message-id:reply-to; bh=hXFpiKghA67p9cDwUzweTgUETehBK4YrQbqfbhlykPI=; b=EwWBCnSzwWnAT984d9xHF7m6RMu5+ozIcPpOThQbFNLn4dN22BuySfT/ejvHo8TTaL jxZ5Zw79cvoRsx1XN2Y7zgRdlWTtukXA+zeWgyGlfUPDdfBVIp9GdJCsfi8c3/r9uZGv MwTpErHNqGk5IoIlPvvEtLlEpARYfDjw75SRGO3T2AWVDljSbcD/HqKg+ZIFg+oqulm3 9sSKV11je9N97B+SVq6tdd32Y0hlNK04i8CdZD2C9KoiXhdUb31CBhlUP1chTDqqqMsC pMg3I2Xk9CM2BPuWuV83xaoEQB6o+OhtwhGFvo7+WsoJBjvLyQkGFijBPaCTtIyzf3KX 555A== X-Forwarded-Encrypted: i=1; AFNElJ8/hSyaOCFSc+yR+ZoLlGptPS21UZE0DJmhl1z1SGM77cYbWD9denjLuBv3RAUv7TdV67aeiWU7nyeKgho=@vger.kernel.org X-Gm-Message-State: AOJu0YxS5IT3DnuIwoeop8o1I/IdKY0tCk6zzh9oRfGWPSYNSot++vTT lYi6XWja0d5yi6FXRoYpjaBVpIu87RT59gwLBWPywZsDcqeF6CFj7nRl X-Gm-Gg: AeBDiev7KW0lGHpdhbk7SVHt++gzD3xsWRvCH4/o15s1v7+QdLOTh8TB8oZlg2LgQj1 ARwSf2osU2tCl7n3J1EVJrBAeeZQuufi8ujUXoxcMLTfsZECROGX3C/gN0nimnE5+FuRmHGIc6i i04UyqTK5zVrMyBDpe7aF/6nrzbRNpwNIsBTIPjOln7PBzaZh3ELBLYBSKYKnqkxywsNeqb2u7e 0KvLM4uvUb4j7GtN2I2tVhIUm7gvrqq8zeI9rth7i7ZSsKB2PHiDjPumPKmehmUjSfYeQlNyQG9 Z6w7twQyruE6+G74f/guQeRYi1aYT1S1yoPXCTlMT/O1xt7QpcsItjyUfNcYkObi7FGdSKVY0aT +uvlyOsChZCN+MX3qmJMnyHpRzzMVZaiAHlAOknDuzldrbAndngDeLZo2FUKMg5twz7Vc2vAgP+ smvvrhU4hZ3em3wzMrPYLED8TU+dUI63lUA536SBtcw6cn/+yacxWvyid25JhYIcKZjfB8zbANO KhTN+PctQ3Cqu0YfQqDutT4geeGCxplHuxKsHqjd93JH5apqxTTT6Y+pe8OQLw9EAr1GUE= X-Received: by 2002:a05:600c:3213:b0:489:149a:f9e6 with SMTP id 5b1f17b1804b1-489149afa07mr245250955e9.28.1777197225861; Sun, 26 Apr 2026 02:53:45 -0700 (PDT) Received: from ahossu.localdomain ([82.78.232.184]) by smtp.gmail.com with ESMTPSA id 5b1f17b1804b1-488fb735d3dsm510905405e9.2.2026.04.26.02.53.42 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Sun, 26 Apr 2026 02:53:44 -0700 (PDT) From: Alexandru Hossu To: gregkh@linuxfoundation.org Cc: dan.carpenter@linaro.org, linux-staging@lists.linux.dev, linux-kernel@vger.kernel.org, luka.gejak@linux.dev, hossu.alexandru@gmail.com Subject: [PATCH v2 2/3] staging: rtl8723bs: fix OOB reads in IE loops in issue_assocreq() and join_cmd_hdl() Date: Sun, 26 Apr 2026 11:51:55 +0200 Message-ID: <20260426095156.3523480-3-hossu.alexandru@gmail.com> X-Mailer: git-send-email 2.53.0 In-Reply-To: <20260426095156.3523480-1-hossu.alexandru@gmail.com> References: <20260426095156.3523480-1-hossu.alexandru@gmail.com> Precedence: bulk X-Mailing-List: linux-kernel@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 Content-Transfer-Encoding: quoted-printable Content-Type: text/plain; charset="utf-8" Two IE parsing loops are missing the header bounds checks before they dereference pIE->length: - issue_assocreq() walks pmlmeinfo->network.ies to build the association request. If the stored IE data ends with only an element_id byte and no length byte, pIE->length is read one byte past the end of the buffer. - join_cmd_hdl() walks pnetwork->ies during station join and has the same problem under the same conditions. Both buffers are filled from AP beacon and probe-response frames, so a malicious AP that sends a truncated final IE can trigger the issue. Apply the two-guard pattern already used in OnAssocRsp(): 1. Break if fewer than sizeof(*pIE) bytes remain. 2. Break if the IE's declared data extends past the buffer end. Signed-off-by: Alexandru Hossu Reviewed-by: Luka Gejak --- drivers/staging/rtl8723bs/core/rtw_mlme_ext.c | 8 ++++++++ 1 file changed, 8 insertions(+) diff --git a/drivers/staging/rtl8723bs/core/rtw_mlme_ext.c b/drivers/stagin= g/rtl8723bs/core/rtw_mlme_ext.c index 884cd39ec756..c646dc2a1741 100644 --- a/drivers/staging/rtl8723bs/core/rtw_mlme_ext.c +++ b/drivers/staging/rtl8723bs/core/rtw_mlme_ext.c @@ -2931,7 +2931,11 @@ void issue_assocreq(struct adapter *padapter) =20 /* vendor specific IE, such as WPA, WMM, WPS */ for (i =3D sizeof(struct ndis_802_11_fix_ie); i < pmlmeinfo->network.ie_l= ength;) { + if (i + sizeof(*pIE) > pmlmeinfo->network.ie_length) + break; pIE =3D (struct ndis_80211_var_ie *)(pmlmeinfo->network.ies + i); + if (i + sizeof(*pIE) + pIE->length > pmlmeinfo->network.ie_length) + break; =20 switch (pIE->element_id) { case WLAN_EID_VENDOR_SPECIFIC: @@ -5324,7 +5328,11 @@ u8 join_cmd_hdl(struct adapter *padapter, u8 *pbuf) =20 /* sizeof(struct ndis_802_11_fix_ie) */ for (i =3D _FIXED_IE_LENGTH_; i < pnetwork->ie_length;) { + if (i + sizeof(*pIE) > pnetwork->ie_length) + break; pIE =3D (struct ndis_80211_var_ie *)(pnetwork->ies + i); + if (i + sizeof(*pIE) + pIE->length > pnetwork->ie_length) + break; =20 switch (pIE->element_id) { case WLAN_EID_VENDOR_SPECIFIC:/* Get WMM IE. */ --=20 2.53.0 From nobody Fri Jun 19 08:18:47 2026 Received: from mail-wm1-f50.google.com (mail-wm1-f50.google.com [209.85.128.50]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id ECDEB3148DD for ; Sun, 26 Apr 2026 09:53:50 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=209.85.128.50 ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1777197232; cv=none; b=slYRFgBCKU9jVqloWrcF4zC0ASubyD9AtOi78tnTdcclOfGYjNaLfc1yi+kyDjQJvvNvxaDJLA+SHgxmdksQep/6W2kue/p0HE67rwkabI8yjGAgglH3Xl5fcX7ukqoWH15ZM/k0pVVnKloHjwNdofTJmQug6wQMRe0X/RSGFVI= ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1777197232; c=relaxed/simple; bh=yB0kTr7Ark+l2ZmItXYKrX9Uk2qIoK3YXCfQf7BUvnc=; h=From:To:Cc:Subject:Date:Message-ID:In-Reply-To:References: MIME-Version; b=NMHEON6TZrylU75vGblQWinFsKv2X13JcbsEd0jQs5+DFOR8Q41T0If6HnWXbOAGpEKtiEBE4B5f0qJmp5xIrv5vCgevwjHGOucAB6S82vf4eGdWRttkmbBIVo13gwpgqBQjmbUO11aJxDeC3JKw/13O+49GpSnd6WI5NzzaS8g= ARC-Authentication-Results: i=1; smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=gmail.com; spf=pass smtp.mailfrom=gmail.com; dkim=pass (2048-bit key) header.d=gmail.com header.i=@gmail.com header.b=tBqF8T8B; arc=none smtp.client-ip=209.85.128.50 Authentication-Results: smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=gmail.com Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=gmail.com Authentication-Results: smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=gmail.com header.i=@gmail.com header.b="tBqF8T8B" Received: by mail-wm1-f50.google.com with SMTP id 5b1f17b1804b1-488ab2db91aso129863835e9.3 for ; Sun, 26 Apr 2026 02:53:50 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20251104; t=1777197229; x=1777802029; darn=vger.kernel.org; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:from:to:cc:subject:date :message-id:reply-to; bh=SXJ6RQKenD2VCj+0SLWJH+R887A9oyB4v4T2DhtGmis=; b=tBqF8T8BLbApXUueuqP673hxHxqiTb99QAZX4kss01S37b38Sahxy1ONIjnhPeQF+F uZHncoio1ax9m9N9CZa0B1bl+qxSeX+7d8ZvwKfJeO00ILH9Ysv6kimdS9xCQ8E0gfCl iFfYbNyzzO+ekbeyU6L1+xr8yXZb5+NqN0lz4dyqTlM5t5QhyccuxgvngTJDKuctwnxW cFdfieXp3n/yM8DB0DNalzFhny/twz/EULeJ8HpSMSZmRbahFxQrC7zvr0CCh6SwuUJd 8Kww54mYKUgLqgzYF4odSsjk/cBGP++SNQF8e/fnm1egFBFZyjk6F2qdKMYweXNAWxVt ++CA== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20251104; t=1777197229; x=1777802029; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:x-gm-gg:x-gm-message-state:from :to:cc:subject:date:message-id:reply-to; bh=SXJ6RQKenD2VCj+0SLWJH+R887A9oyB4v4T2DhtGmis=; b=IWW0PWwdyL1N6rHh9snBbwuGZsmnHlNcTLffNXV2hDnLH7iUahI2K93znLYE9WM9Wn kx5bwYxwjLH01wpcdh7pjoSUXb4NUpx29gmQQ4FOfK6IxAxYjqSs3KMmxAnxwiROy7Ic +kBKSTQ3ofrQPyAsl35Y0umZYzvqeRKm6uIedPFosnO5PtWftT+2ITJWqAjUiMb/7FyJ +r45MJVQqNtoMMs9GUMaGl+ZDS5vy1gYc/8Tkfbk2fJnBcDjRrDqal1gd0KcmlyS/E5w kx9Np7eUkqVbmePRnDqHhFxkB6kAC0cWywA//6LACdQzHAbLQMUZu/EaB297lbc4aZku MtoA== X-Forwarded-Encrypted: i=1; AFNElJ8qHMtMB48xSe2/Nn5QtVcQfi9LhERmZZnUqkl4Gqu/pl23kEBWrWOLdPh93xeUJDodqL/9jOOSYOZ1RZE=@vger.kernel.org X-Gm-Message-State: AOJu0YwsEvIGLEE7CPKwK0zr6N68zBxOH8DNr/oKKWuRqUfP1PoxeY2T 068HoajsZjFK98NCdwADNpJa/IWcGLudQoTWSn0k02Q1rrh34zg5vCT5 X-Gm-Gg: AeBDiet0u+g9ia+s5ICW2yM7DF3Xor3YeZdYQe4kp85h+oB2dbTp/LZT+iFZ39TFJ9/ kefNal0SUY7mvz3iweGh7EMN4I8UZ5TKp5SyQseaE6Hx68IvDO9tzfiq5Bs62LMuJkxN0zk/5A5 ubUmQpyiGaiBpT/CKuFFbvwbWTT96tgQhrwpQ/L1EC8yXjqbjYn1U3mu9V50usV5TZnvC9pYJUM cSusGuVSZMqcIg+axiSUoKUdLt8JcyJYY0bvLzc6hTydiH/ebXmPJS6KRrQDHxfw9DFYrFHukWI sckl/yXTZ5RjeVykFF0MJY+kU565woJv3U36AOlCL4jETmeWh+xAlGekjKtZGOaiOPX2H7MHyi3 z9Den3h4uKgrYiCB+yUuDjhUxR+5h9vrKXSY+0xqgqD8uuAZhAhtYxosEbdCK+C7fJOo7oWobrv RBnJ+2O4nlFXUCys6S8waAZsxSNdx3J1GMPuCxZPMQ5rcAAojnHD/GmTKgTQy3QOM916CNZO+vV 8Zoj8hQY+1h1pqqJ5O2dqwFN+YOwz8Dmx8YhvAl9uiwt/UjNyMNrvkZ61B4oy1IlsRQvu+Zlxeo Zi1uEA== X-Received: by 2002:a05:600c:a105:b0:485:3a03:ceca with SMTP id 5b1f17b1804b1-488fb7826femr388671575e9.23.1777197229352; Sun, 26 Apr 2026 02:53:49 -0700 (PDT) Received: from ahossu.localdomain ([82.78.232.184]) by smtp.gmail.com with ESMTPSA id 5b1f17b1804b1-488fb735d3dsm510905405e9.2.2026.04.26.02.53.46 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Sun, 26 Apr 2026 02:53:48 -0700 (PDT) From: Alexandru Hossu To: gregkh@linuxfoundation.org Cc: dan.carpenter@linaro.org, linux-staging@lists.linux.dev, linux-kernel@vger.kernel.org, luka.gejak@linux.dev, hossu.alexandru@gmail.com Subject: [PATCH v2 3/3] staging: rtl8723bs: fix heap buffer overflow in rtw_cfg80211_set_wpa_ie() Date: Sun, 26 Apr 2026 11:51:56 +0200 Message-ID: <20260426095156.3523480-4-hossu.alexandru@gmail.com> X-Mailer: git-send-email 2.53.0 In-Reply-To: <20260426095156.3523480-1-hossu.alexandru@gmail.com> References: <20260426095156.3523480-1-hossu.alexandru@gmail.com> Precedence: bulk X-Mailing-List: linux-kernel@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 Content-Transfer-Encoding: quoted-printable Content-Type: text/plain; charset="utf-8" supplicant_ie is a 256-byte array in struct security_priv. The WPA and WPA2 IE copy paths use: memcpy(padapter->securitypriv.supplicant_ie, &pwpa[0], wpa_ielen + 2); where wpa_ielen is the raw IE length field (u8, 0-255). When a local user supplies a connect request via nl80211 with a crafted WPA IE of length 255, wpa_ielen + 2 equals 257, overflowing the 256-byte buffer by one byte into the adjacent last_mic_err_time field. rtw_parse_wpa_ie() does not prevent this: its length consistency check compares *(wpa_ie+1) against (u8)(wpa_ie_len-2), which is (u8)(255) =3D=3D = 255 when wpa_ie_len =3D 257, so the check passes silently. Add explicit bounds checks for both the WPA and WPA2 paths before the memcpy, rejecting any IE whose total size (wpa_ielen + 2) exceeds the supplicant_ie buffer. Signed-off-by: Alexandru Hossu Reviewed-by: Luka Gejak --- drivers/staging/rtl8723bs/os_dep/ioctl_cfg80211.c | 8 ++++++++ 1 file changed, 8 insertions(+) diff --git a/drivers/staging/rtl8723bs/os_dep/ioctl_cfg80211.c b/drivers/st= aging/rtl8723bs/os_dep/ioctl_cfg80211.c index 098456e97c96..3d930d9af184 100644 --- a/drivers/staging/rtl8723bs/os_dep/ioctl_cfg80211.c +++ b/drivers/staging/rtl8723bs/os_dep/ioctl_cfg80211.c @@ -1443,6 +1443,10 @@ static int rtw_cfg80211_set_wpa_ie(struct adapter *p= adapter, u8 *pie, size_t iel =20 pwpa =3D rtw_get_wpa_ie(buf, &wpa_ielen, ielen); if (pwpa && wpa_ielen > 0) { + if (wpa_ielen + 2 > sizeof(padapter->securitypriv.supplicant_ie)) { + ret =3D -EINVAL; + goto exit; + } if (rtw_parse_wpa_ie(pwpa, wpa_ielen + 2, &group_cipher, &pairwise_ciphe= r, NULL) =3D=3D _SUCCESS) { padapter->securitypriv.dot11AuthAlgrthm =3D dot11AuthAlgrthm_8021X; padapter->securitypriv.ndisauthtype =3D Ndis802_11AuthModeWPAPSK; @@ -1452,6 +1456,10 @@ static int rtw_cfg80211_set_wpa_ie(struct adapter *p= adapter, u8 *pie, size_t iel =20 pwpa2 =3D rtw_get_wpa2_ie(buf, &wpa2_ielen, ielen); if (pwpa2 && wpa2_ielen > 0) { + if (wpa2_ielen + 2 > sizeof(padapter->securitypriv.supplicant_ie)) { + ret =3D -EINVAL; + goto exit; + } if (rtw_parse_wpa2_ie(pwpa2, wpa2_ielen + 2, &group_cipher, &pairwise_ci= pher, NULL) =3D=3D _SUCCESS) { padapter->securitypriv.dot11AuthAlgrthm =3D dot11AuthAlgrthm_8021X; padapter->securitypriv.ndisauthtype =3D Ndis802_11AuthModeWPA2PSK; --=20 2.53.0