From nobody Wed Jun 17 07:22:58 2026 Received: from mail-wm1-f45.google.com (mail-wm1-f45.google.com [209.85.128.45]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id 9C249399031 for ; Mon, 27 Apr 2026 08:18:24 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=209.85.128.45 ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1777277906; cv=none; b=GQNERM5iaqFWCYZ2pfPD34D3K0u1dvAccsQWFn9hdSm33QMpXOQErwbADOvL2rg+ZYbQH33LJU4TWwUhPhOqdYyejtiHWXx+0GmUBR82fr3snrNV83gL/SY3Nf9pC8KhodaEPFOxgjl+SNpTaGxykrDi3BVS6g8TNSJWRMpif4M= ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1777277906; c=relaxed/simple; bh=X54KA9PavQZQEzucsCa1+36HcRdsBWVlMFDudcoevyc=; h=From:To:Cc:Subject:Date:Message-ID:In-Reply-To:References: MIME-Version; b=Xn46i5Et1SKiiCZOTGm9mQbPlS4sRfCnhkEDC9SLfgCfILJhmpr/ww3GAMOuihyUbpk7YeRodc94If0gQ85syabRog9LpxGaS1Rvj6DyWFnF934WLWnS14evmYJwXoTLR74N63F+8XO8SaGW1+f5riOz5cydLkrCiTg/W0ry2A4= ARC-Authentication-Results: i=1; smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=gmail.com; spf=pass smtp.mailfrom=gmail.com; dkim=pass (2048-bit key) header.d=gmail.com header.i=@gmail.com header.b=iaCBC7mt; arc=none smtp.client-ip=209.85.128.45 Authentication-Results: smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=gmail.com Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=gmail.com Authentication-Results: smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=gmail.com header.i=@gmail.com header.b="iaCBC7mt" Received: by mail-wm1-f45.google.com with SMTP id 5b1f17b1804b1-4896c22fcbaso72041695e9.0 for ; Mon, 27 Apr 2026 01:18:24 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20251104; t=1777277903; x=1777882703; darn=vger.kernel.org; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:from:to:cc:subject:date :message-id:reply-to; bh=4VGLXQGdtwW4M4dZrF/iMa6PrGQcTVy/0M0hUiD6E5M=; b=iaCBC7mtUL8wNQ2E2UfXAk41pu2EJAoDfvWVLTC4DpfYUxC3wN8vQQLBoH2sH+f583 VDU3O9Kzkw0k+0vjq1bx33yrS10x2t3Lr/Lw864rxe/C0bNuSxQmEXf5IssVT5JB1jV8 9+nAyggvj/iEVE15EZsFpctK+5rnDgGtw392RAn4OYRFfMYysLXKtF4z74brlH0ZSo9U NhEeDd4e5xFnogNw2crxzcQakM0+TQWW1es+sAuq44iyZm+Q4ToCay9EphbG/92WMVxQ gpRs8TGKnDDbz/DcAKrX8mqgPxSQ2WwFRz7LMA29BuH5GCNFQam9iH6bC54VMdhtJA+F wXZw== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20251104; t=1777277903; x=1777882703; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:x-gm-gg:x-gm-message-state:from :to:cc:subject:date:message-id:reply-to; bh=4VGLXQGdtwW4M4dZrF/iMa6PrGQcTVy/0M0hUiD6E5M=; b=q4tf7Uyfjey0Cutzto4sCApdRhytHA69yfXVJkHZuOjXSryOLxekpD0c+JdEuQo2nA xh7KSZG2t82J85YYh57wpsDaobCp9OREswJFIV8sylWMtPoa5u6DFJpYGh4yso2qWllS kDHUI/pgkcwWc4InoOdDhRONBBXDxB5pADOI4jIHxM++kudGKAz4b5rAHqEcuwJDLWRf nifc9HhZVljlRSV1RcZSO/L6O9YXjnQeq+pmNQfi3o9a9W4iTuiP2JOwc5sEQHrv1jJW yPvA540VCsFnXZwRcuWmE2Wh2NQeN7AqFRZYZBDs3gNtp4J+QnxRoyTT3sW4TxTP2tAn BhSA== X-Forwarded-Encrypted: i=1; AFNElJ9hEulYer7AifXbYVYc9CmXHUx2MJNBtGqWBFOhdL7R5Wr7b/cslmPmAJEOD30Tn4QHRmji/8OkfFvt6K8=@vger.kernel.org X-Gm-Message-State: AOJu0Yxv5KRHRMtyxo4Y7Pr67kkcpSlIYqlbG1k1IprHNQbfJaEJp0vU Xk6uWPPBidRzH75tsMDO1pfY29UYkdoNeLvSMoeDlR6byUJbE2KqtAre X-Gm-Gg: AeBDieszHAXMVXGgDO7OpAJdtPVh2/RPUBamRcr5dpjEqFxMWdSMHA4CtH1E8SrF1v3 vlMZeQG7tH/pSWLWm1aaE7gC6PvnrbFc7j7AbrbauCRemrEjS86WTDT9HwII8tCazxzKxMVC1bF bwpX35CCo2e4sRUO/lFMWrPK2K6FgdvBujuxVbaNhRP++GI69jp51Q43YH/eGZH+N5ys3qOnBbp Nt44lSMMhzN5N1LQaza7UiapDt8Nc5gZl2lQ1PPQo2OsfJUPwwGHXzDXxT0EjzUs3Z/OOIPN57g ks+M4XUftfc3rTeYZKpxVtppvSROxtLDMgeZ5Oq2kaWNd5XRUiA7jCV4d3cAuz4yVOMKDPXQoRd zy0Y4Qn+pq9lIDJl3UNIRvVUBGgII4SO6I5D/ynt7PLtBJIfWjqNB0GUVfEBDdJb6P0qvOca99r +QQsTdVtN5JbhxMxU394nJ3j3KEIIDPGpCDtl2wUAlYe3H12NgOu08Uru5zAhxVjNXa1FiXW/uC AA8lOsvoyFGF81bp9UGBuaigcJfHQhABsPGzO88v9WeafP7EXfbjuIDIWIa0XnAw/8sa1M= X-Received: by 2002:a05:600c:c106:b0:489:1ba8:5be9 with SMTP id 5b1f17b1804b1-4891ba85d07mr326445715e9.29.1777277902712; Mon, 27 Apr 2026 01:18:22 -0700 (PDT) Received: from ahossu.localdomain ([82.78.232.184]) by smtp.gmail.com with ESMTPSA id 5b1f17b1804b1-488fc14a61asm712652115e9.15.2026.04.27.01.18.20 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Mon, 27 Apr 2026 01:18:22 -0700 (PDT) From: Alexandru Hossu To: gregkh@linuxfoundation.org, linux-staging@lists.linux.dev, linux-kernel@vger.kernel.org Cc: error27@gmail.com, luka.gejak@linux.dev, Alexandru Hossu , stable@vger.kernel.org Subject: [PATCH v3 1/3] staging: rtl8723bs: fix OOB read in update_beacon_info() IE loop Date: Mon, 27 Apr 2026 10:16:24 +0200 Message-ID: <20260427081626.3393697-2-hossu.alexandru@gmail.com> X-Mailer: git-send-email 2.53.0 In-Reply-To: <20260427081626.3393697-1-hossu.alexandru@gmail.com> References: <20260427081626.3393697-1-hossu.alexandru@gmail.com> Precedence: bulk X-Mailing-List: linux-kernel@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 Content-Transfer-Encoding: quoted-printable Content-Type: text/plain; charset="utf-8" The IE parsing loop in update_beacon_info() advances by (pIE->length + 2) each iteration but only guards on i < len. When a malicious AP sends a Beacon whose last IE has only one byte remaining in the frame (the element_id byte lands at len-1), the loop reads pIE->length from one byte past the allocated receive buffer. Additionally, even when the header bytes are in bounds, pIE->length itself can extend the data window beyond len, passing a truncated IE to the handler functions. Add two guards at the top of the loop body: 1. Break if fewer than sizeof(*pIE) bytes remain (can't read header). 2. Break if the IE's declared data extends past len. Also replace i +=3D (pIE->length + 2) with i +=3D sizeof(*pIE) + pIE->length for consistency with the sizeof(*pIE) guards added above. Fixes: 554c0a3abf21 ("staging: Add rtl8723bs sdio wifi driver") Cc: stable@vger.kernel.org Reviewed-by: Luka Gejak Signed-off-by: Alexandru Hossu --- drivers/staging/rtl8723bs/core/rtw_wlan_util.c | 6 +++++- 1 file changed, 5 insertions(+), 1 deletion(-) diff --git a/drivers/staging/rtl8723bs/core/rtw_wlan_util.c b/drivers/stagi= ng/rtl8723bs/core/rtw_wlan_util.c index 6a7c09db4cd9..e0d73c267786 100644 --- a/drivers/staging/rtl8723bs/core/rtw_wlan_util.c +++ b/drivers/staging/rtl8723bs/core/rtw_wlan_util.c @@ -1289,7 +1289,11 @@ void update_beacon_info(struct adapter *padapter, u8= *pframe, uint pkt_len, stru len =3D pkt_len - (_BEACON_IE_OFFSET_ + WLAN_HDR_A3_LEN); =20 for (i =3D 0; i < len;) { + if (i + sizeof(*pIE) > len) + break; pIE =3D (struct ndis_80211_var_ie *)(pframe + (_BEACON_IE_OFFSET_ + WLAN= _HDR_A3_LEN) + i); + if (i + sizeof(*pIE) + pIE->length > len) + break; =20 switch (pIE->element_id) { case WLAN_EID_VENDOR_SPECIFIC: @@ -1314,7 +1318,7 @@ void update_beacon_info(struct adapter *padapter, u8 = *pframe, uint pkt_len, stru break; } =20 - i +=3D (pIE->length + 2); + i +=3D sizeof(*pIE) + pIE->length; } } =20 --=20 2.53.0 From nobody Wed Jun 17 07:22:58 2026 Received: from mail-wm1-f46.google.com (mail-wm1-f46.google.com [209.85.128.46]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id 7873439936F for ; Mon, 27 Apr 2026 08:18:34 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=209.85.128.46 ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1777277915; cv=none; b=UhSY1gn9HrdW/eQInFqvkaLNkWJzspTvddMpqRQ4VsZqIvGdy3b+oV7BpV9fGYve9PVXVW23Sg8lnMC8wKm2yjAOVZi1d2DB05Z68HPru0VsgOSAro5EFDYcSp+Ut8KIq2ufnUNP4o2XMSexh0khg24yFhtY5cGearQjeGha+9o= ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1777277915; c=relaxed/simple; bh=UGUi2ZtX1bemwYp8cSksp8hkcBsw8FfUwrFHOQVPgO8=; h=From:To:Cc:Subject:Date:Message-ID:In-Reply-To:References: MIME-Version; b=ssimZI+/oyxiMSdppz6ebeNglNFYOw+tQgRvmjObhdwTB2qBqEAUQqtZOoqQuXmL4aCPJeawaYDUav3ajzKqTuOCrFHOZee8IFlFurhn1N99YeZQikqBpkzbBZlTBr1TsZCUnS9zBJDP9hs7MYaajJjgEl1SShaX5smWd/9XJw4= ARC-Authentication-Results: i=1; smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=gmail.com; spf=pass smtp.mailfrom=gmail.com; dkim=pass (2048-bit key) header.d=gmail.com header.i=@gmail.com header.b=enl7lMNY; arc=none smtp.client-ip=209.85.128.46 Authentication-Results: smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=gmail.com Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=gmail.com Authentication-Results: smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=gmail.com header.i=@gmail.com header.b="enl7lMNY" Received: by mail-wm1-f46.google.com with SMTP id 5b1f17b1804b1-4896c22fcbaso72043335e9.0 for ; Mon, 27 Apr 2026 01:18:34 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20251104; t=1777277913; x=1777882713; darn=vger.kernel.org; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:from:to:cc:subject:date :message-id:reply-to; bh=ORRSLkmyVRQ6NCw35RQV07Yi/LmWTcjj6Iy7t//9MNM=; b=enl7lMNYY+PU3skof4mFDxIopNGaynUd6Dy7HT3QRR1FkUEYRA++cCHxlOJ/5Bddty J1lLkwzStKVyPUWqG0xMh33k727ZeW3kWFcUA4u6cevK2/Vfy8euBTdgN2lQQI1sABjh gTIPHkqNIqZ7lguQbs8j58DGkAslwXh5rapDtCkdekMkZaOivN3ikquYmIMgR3AqJNnZ w4PAjXUWlhVOBHhM4kM/CPIgQoAb82186mOH+AoCMR40eHhx1XG8wRuwYqowCpXVuluY Ti33l3RdxNBKCARjsiMHyCxz/ffjc3A7PtjJ2OSkR9WnuDotA3CEtkrTG2uLLJOvoiax Lxpw== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20251104; t=1777277913; x=1777882713; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:x-gm-gg:x-gm-message-state:from :to:cc:subject:date:message-id:reply-to; bh=ORRSLkmyVRQ6NCw35RQV07Yi/LmWTcjj6Iy7t//9MNM=; b=BQNzJMvFsu44Orfi9xcjvlWDmnqBSN6jEzTWPazXQCv+SlZMFNVEKnEcQepzuYJPoB 2p/d2QfIZ/H2NiPNLVXZcBE2Vh8ewgAeXRFnnznSOiGBrVCCOGjM+LBnVgY9LGCciGI2 DqhmX/g8exIp+Zu7AsBm0XFgjL1HP6L8BYp5iMkijuX54rUzT73SMTGoeGZmyiviYtD8 DmUxce++ib0NKXa4lpAHCEb2ZxlQ5jtHD81RYXUFkO47raO2eR0ToIBul7HHGrp7jFr1 WKdDltag9cO60eXf0FWPsZqnF3exfMe1Q+ezBr++7RaWRw6oopqsdJE0WnJxPDfsx3Wk P1YQ== X-Forwarded-Encrypted: i=1; AFNElJ8ITBdU2mnFJmwdWCeJMnXcER9iyK9mtGW+007YR4Tap8tbzDCrbM/68xOYNyVUYRCL3ANXEVAhB/PI6aA=@vger.kernel.org X-Gm-Message-State: AOJu0YwX1w65b6FDKlMWpKf5YkfVFIPJR+iv6LPbhQ04S1Rqdiblhilv b41jEUwK5NiZL/kZlIWmn0qdGmI8tg80yZ3pTw87IVmT8f5XXCGmTY01 X-Gm-Gg: AeBDiesiGPAaos6qVYoSWMKwA8A0+PrsPFrvy2BE03ScUZECcp5mjnspl7X3WE2MmVY vFOfE0G/pAqQe5f0dAlvULiKCw4PpVV3XIbgrGVpgEP/25564ICneySYB3S1ah5emS2efxmOMRe d8CX0qP0QCWLb7TNdYbBVR6DCgWThJxiMGe+kpf2g+KYJ2idxzIT2wUy1IwDG/DssnO2cH+0Z8Z 7uOgc3EWf+6ZqOJhc1FKD9OVqB9WDDRnStuIZn2TsESHdJVg1j9lKDHZYJ1ZjSyzi+M3yaUAbJb KPIbqhX9k4xDL73rUJwfDPflMySUvLCfVuGuWjtLV5G5YiMO/S/HO+7/8eBn6p5eYrcNZgVEOoE pAOXr/7bmCzh8BNHT410eg9lxVedgjECz4oxn50+ABZyZk6eE9vCsEtBpKAdr/by2VgWWvS0gr3 4bqC48tUzhbCb+zI93F2M+Zx3hB8TnIktRYw55Ncn/vmPQHOIPkiLJpFnsEWNWtpfW6G3ceUKww mZnoeSiDEGTxdwmJzkq5l2xThoVg67qZdtT/LpoRvvvdQqh3b4hk5UIGdTP7bilHS6RyEs= X-Received: by 2002:a05:600c:4652:b0:489:a4:e578 with SMTP id 5b1f17b1804b1-48900a4e944mr303852385e9.14.1777277912730; Mon, 27 Apr 2026 01:18:32 -0700 (PDT) Received: from ahossu.localdomain ([82.78.232.184]) by smtp.gmail.com with ESMTPSA id 5b1f17b1804b1-488fc14a61asm712652115e9.15.2026.04.27.01.18.22 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Mon, 27 Apr 2026 01:18:32 -0700 (PDT) From: Alexandru Hossu To: gregkh@linuxfoundation.org, linux-staging@lists.linux.dev, linux-kernel@vger.kernel.org Cc: error27@gmail.com, luka.gejak@linux.dev, Alexandru Hossu , stable@vger.kernel.org Subject: [PATCH v3 2/3] staging: rtl8723bs: fix OOB reads in IE loops in issue_assocreq() and join_cmd_hdl() Date: Mon, 27 Apr 2026 10:16:25 +0200 Message-ID: <20260427081626.3393697-3-hossu.alexandru@gmail.com> X-Mailer: git-send-email 2.53.0 In-Reply-To: <20260427081626.3393697-1-hossu.alexandru@gmail.com> References: <20260427081626.3393697-1-hossu.alexandru@gmail.com> Precedence: bulk X-Mailing-List: linux-kernel@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 Content-Transfer-Encoding: quoted-printable Content-Type: text/plain; charset="utf-8" Two IE parsing loops are missing the header bounds checks before they dereference pIE->length: - issue_assocreq() walks pmlmeinfo->network.ies to build the association request. If the stored IE data ends with only an element_id byte and no length byte, pIE->length is read one byte past the end of the buffer. - join_cmd_hdl() walks pnetwork->ies during station join and has the same problem under the same conditions. Both buffers are filled from AP beacon and probe-response frames, so a malicious AP that sends a truncated final IE can trigger the issue. Apply the two-guard pattern already used in OnAssocRsp(): 1. Break if fewer than sizeof(*pIE) bytes remain. 2. Break if the IE's declared data extends past the buffer end. Fixes: 554c0a3abf21 ("staging: Add rtl8723bs sdio wifi driver") Cc: stable@vger.kernel.org Reviewed-by: Luka Gejak Signed-off-by: Alexandru Hossu --- drivers/staging/rtl8723bs/core/rtw_mlme_ext.c | 8 ++++++++ 1 file changed, 8 insertions(+) diff --git a/drivers/staging/rtl8723bs/core/rtw_mlme_ext.c b/drivers/stagin= g/rtl8723bs/core/rtw_mlme_ext.c index 884cd39ec756..c646dc2a1741 100644 --- a/drivers/staging/rtl8723bs/core/rtw_mlme_ext.c +++ b/drivers/staging/rtl8723bs/core/rtw_mlme_ext.c @@ -2931,7 +2931,11 @@ void issue_assocreq(struct adapter *padapter) =20 /* vendor specific IE, such as WPA, WMM, WPS */ for (i =3D sizeof(struct ndis_802_11_fix_ie); i < pmlmeinfo->network.ie_l= ength;) { + if (i + sizeof(*pIE) > pmlmeinfo->network.ie_length) + break; pIE =3D (struct ndis_80211_var_ie *)(pmlmeinfo->network.ies + i); + if (i + sizeof(*pIE) + pIE->length > pmlmeinfo->network.ie_length) + break; =20 switch (pIE->element_id) { case WLAN_EID_VENDOR_SPECIFIC: @@ -5324,7 +5328,11 @@ u8 join_cmd_hdl(struct adapter *padapter, u8 *pbuf) =20 /* sizeof(struct ndis_802_11_fix_ie) */ for (i =3D _FIXED_IE_LENGTH_; i < pnetwork->ie_length;) { + if (i + sizeof(*pIE) > pnetwork->ie_length) + break; pIE =3D (struct ndis_80211_var_ie *)(pnetwork->ies + i); + if (i + sizeof(*pIE) + pIE->length > pnetwork->ie_length) + break; =20 switch (pIE->element_id) { case WLAN_EID_VENDOR_SPECIFIC:/* Get WMM IE. */ --=20 2.53.0 From nobody Wed Jun 17 07:22:58 2026 Received: from mail-wm1-f51.google.com (mail-wm1-f51.google.com [209.85.128.51]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id 1BFD639A7E9 for ; Mon, 27 Apr 2026 08:18:38 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=209.85.128.51 ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1777277920; cv=none; b=oR/voSor0SMME0AXBYY6WCccLaz1UNV9Pfm7GJGquztuxpseY67iqM5IfseHmHvO3ZtaShaNxRZR0uG921Q+BpFfrVjc+jWR7Yv1WIn2OOzMV6Id/ArAVnFILDWDMrG4VRqSGqcoQIJg8DxSq+PLs40p7Ftv4Sih4BYqrkvpVds= ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1777277920; c=relaxed/simple; bh=QsWgV/TRc8h5FUj2uOm4q4TApmuKuKTXIme2FfHuqZM=; h=From:To:Cc:Subject:Date:Message-ID:In-Reply-To:References: MIME-Version; b=ms4uZDDVEiYkg1M0t9TQ840HKaFue8UgivbkAXiYpfMTmoM2TplZkVZNXfVfXP9EDrLxbnALE3m6podJB9gQk+7Ty4kQgoTeV11UOEj7iRYndq2MwZt8ysIPnxqLhjsGL/rp/iII5621DEJowuHXDQusKCGirYE3xrmj+OwmZFE= ARC-Authentication-Results: i=1; smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=gmail.com; spf=pass smtp.mailfrom=gmail.com; dkim=pass (2048-bit key) header.d=gmail.com header.i=@gmail.com header.b=BiWf0YJi; arc=none smtp.client-ip=209.85.128.51 Authentication-Results: smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=gmail.com Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=gmail.com Authentication-Results: smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=gmail.com header.i=@gmail.com header.b="BiWf0YJi" Received: by mail-wm1-f51.google.com with SMTP id 5b1f17b1804b1-4891e5b9c1fso82791405e9.2 for ; Mon, 27 Apr 2026 01:18:38 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20251104; t=1777277917; x=1777882717; darn=vger.kernel.org; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:from:to:cc:subject:date :message-id:reply-to; bh=HVlRFyF005cdj3KbEszpkmE7tTQiTu1k1/BY4S0J3Oo=; b=BiWf0YJiQhOBp3HBblmFm5xmdTKRLB2cWo4h/5ehzjk4YWCdanQsNeUtfGOW0aHEBL FkqFO7B9UqTCoBi4oNTpwo6s3how0BoVno6StGolSEAMz2qxh17ui0+xRt6gJxfjDEie QfbtFZrqjSCziMkeAsMIrMAUX6H3a2/uUfh/toowOH6wQX7zAUTg2p/prRiyInde6aH3 FUfW8Inzx+BJxqPOcr5XdCiVkm+Hib57i+fSWVWCjwqno/SAYzLsrANlPv3yrzFxIuLL Z2kS/8bUk+NrEqULF0HplNp6vEgQacqkTDWCDVEmimMROsX2gItrkWLB/Y5YhsMK3U/M kYyQ== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20251104; t=1777277917; x=1777882717; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:x-gm-gg:x-gm-message-state:from :to:cc:subject:date:message-id:reply-to; bh=HVlRFyF005cdj3KbEszpkmE7tTQiTu1k1/BY4S0J3Oo=; b=RFB/AIyw6cdDCQrUadmrzmL4SY00zx8EXirsEsU7/jmQyYUv5V1j2AjY6/+Pv+BSVM WURTzQweVA4uC4gR6XPG1AyqkZ8s0ZKfSue00wDwEDVvzokYJpViN/8XLsCIHOWM5Nu0 XFfFr9+231C6wUaaFMUUBRTcpejYHIpyeWSrKFMO5ABQjvwsJwL0MOiZMhnwYvY9Sapg GioCDbbgiO/7qKB0xnZdWlcfWRobf0CsBs9SdCk8fK0SSF4WyuIe2COHXy/pVEwcQIN7 Z8yZQ/heKYYMZSQ4yPnVA3UBi2tDpdRNKl3xEPJLra/bcejEsTs0YZVuW8tXfkHICkct 3u4g== X-Forwarded-Encrypted: i=1; AFNElJ8Co+6CzSwTePVA2ObNtJn8qTXNQL0E2ybsUKH1jIKMvyMqHX9ZP8wiylxZIpBTDd7fsdw+mDGZhRY54Ko=@vger.kernel.org X-Gm-Message-State: AOJu0YxZgcl6m7R0UYyFc876hzYW5GPZecf/HZAv65zu8RiQVQtCvUJm 4ukGo4hHtFVapQ/ca4cH5GJng+3p2nxwTHs3rWNKeWAU7c3cbLWK4caJU5CoxEde X-Gm-Gg: AeBDievh/egoLODl/fxjKoynWdFCgtvoyRQb92UBswwRYa8Ea/m+ABXclUj9ncVILpr 1Omiv6RSbVz/wlSiiY9VCCMMH0xkXgU4309QsPLAjND6heYTYxdPbu/PxrehHgYIS9XZ1MhZzio bTtN1qlnRowvOSTjamCS93CqdNR0oSzn4opZutRTH2Ufw5wyw9V0scO5lYM/Mc79pMxMo++dGyA /UbED4clcJWj8LjbrEUnxJCw3MLxiW+X5RGtOioKcQH4/15z180ScmzZ0PC75fR+tJ5ApDcfSlw pgBaZZkwFRoWVxp6sOWAJQLDcJoCFC+wTuX2wghKHpWqr88HMSfmdqYqH04+jbATY59rTbhgDcw 0KA8bPeKZGNJ6+l1ht9iMEDD+hROqE1h9CbXEKTeZ4YI69q2o7fvwUd+lzlHksFYLbkSGXHc2N3 gvR/D2jilZbKtdxBpvRZIyglfLh2WANiRe23i/508xDwtweOts1WF3cmzOm/EaBFz0qj4tHyWar EfkvwmX1devnP6RPYnEwGdVkdI/j1GLW68Ktpgdt5JTvr/HJU02QNZ+Jw9p25+gQt4DCLs= X-Received: by 2002:a05:600c:548a:b0:48a:75b9:b0bc with SMTP id 5b1f17b1804b1-48a75b9b0c5mr734945e9.29.1777277917225; Mon, 27 Apr 2026 01:18:37 -0700 (PDT) Received: from ahossu.localdomain ([82.78.232.184]) by smtp.gmail.com with ESMTPSA id 5b1f17b1804b1-488fc14a61asm712652115e9.15.2026.04.27.01.18.33 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Mon, 27 Apr 2026 01:18:36 -0700 (PDT) From: Alexandru Hossu To: gregkh@linuxfoundation.org, linux-staging@lists.linux.dev, linux-kernel@vger.kernel.org Cc: error27@gmail.com, luka.gejak@linux.dev, Alexandru Hossu , stable@vger.kernel.org Subject: [PATCH v3 3/3] staging: rtl8723bs: fix heap buffer overflow in rtw_cfg80211_set_wpa_ie() Date: Mon, 27 Apr 2026 10:16:26 +0200 Message-ID: <20260427081626.3393697-4-hossu.alexandru@gmail.com> X-Mailer: git-send-email 2.53.0 In-Reply-To: <20260427081626.3393697-1-hossu.alexandru@gmail.com> References: <20260427081626.3393697-1-hossu.alexandru@gmail.com> Precedence: bulk X-Mailing-List: linux-kernel@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 Content-Transfer-Encoding: quoted-printable Content-Type: text/plain; charset="utf-8" supplicant_ie is a 256-byte array in struct security_priv. The WPA and WPA2 IE copy paths use: memcpy(padapter->securitypriv.supplicant_ie, &pwpa[0], wpa_ielen + 2); where wpa_ielen is the raw IE length field (u8, 0-255). When a local user supplies a connect request via nl80211 with a crafted WPA IE of length 255, wpa_ielen + 2 equals 257, overflowing the 256-byte buffer by one byte into the adjacent last_mic_err_time field. rtw_parse_wpa_ie() does not prevent this: its length consistency check compares *(wpa_ie+1) against (u8)(wpa_ie_len-2), which is (u8)(255) =3D=3D = 255 when wpa_ie_len =3D 257, so the check passes silently. Add explicit bounds checks for both the WPA and WPA2 paths before the memcpy, rejecting any IE whose total size (wpa_ielen + 2) exceeds the supplicant_ie buffer. Fixes: 554c0a3abf21 ("staging: Add rtl8723bs sdio wifi driver") Cc: stable@vger.kernel.org Reviewed-by: Luka Gejak Signed-off-by: Alexandru Hossu --- drivers/staging/rtl8723bs/os_dep/ioctl_cfg80211.c | 8 ++++++++ 1 file changed, 8 insertions(+) diff --git a/drivers/staging/rtl8723bs/os_dep/ioctl_cfg80211.c b/drivers/st= aging/rtl8723bs/os_dep/ioctl_cfg80211.c index 098456e97c96..3d930d9af184 100644 --- a/drivers/staging/rtl8723bs/os_dep/ioctl_cfg80211.c +++ b/drivers/staging/rtl8723bs/os_dep/ioctl_cfg80211.c @@ -1443,6 +1443,10 @@ static int rtw_cfg80211_set_wpa_ie(struct adapter *p= adapter, u8 *pie, size_t iel =20 pwpa =3D rtw_get_wpa_ie(buf, &wpa_ielen, ielen); if (pwpa && wpa_ielen > 0) { + if (wpa_ielen + 2 > sizeof(padapter->securitypriv.supplicant_ie)) { + ret =3D -EINVAL; + goto exit; + } if (rtw_parse_wpa_ie(pwpa, wpa_ielen + 2, &group_cipher, &pairwise_ciphe= r, NULL) =3D=3D _SUCCESS) { padapter->securitypriv.dot11AuthAlgrthm =3D dot11AuthAlgrthm_8021X; padapter->securitypriv.ndisauthtype =3D Ndis802_11AuthModeWPAPSK; @@ -1452,6 +1456,10 @@ static int rtw_cfg80211_set_wpa_ie(struct adapter *p= adapter, u8 *pie, size_t iel =20 pwpa2 =3D rtw_get_wpa2_ie(buf, &wpa2_ielen, ielen); if (pwpa2 && wpa2_ielen > 0) { + if (wpa2_ielen + 2 > sizeof(padapter->securitypriv.supplicant_ie)) { + ret =3D -EINVAL; + goto exit; + } if (rtw_parse_wpa2_ie(pwpa2, wpa2_ielen + 2, &group_cipher, &pairwise_ci= pher, NULL) =3D=3D _SUCCESS) { padapter->securitypriv.dot11AuthAlgrthm =3D dot11AuthAlgrthm_8021X; padapter->securitypriv.ndisauthtype =3D Ndis802_11AuthModeWPA2PSK; --=20 2.53.0