From nobody Sat Jun 13 19:10:24 2026
Received: from mail-wm1-f42.google.com (mail-wm1-f42.google.com
 [209.85.128.42])
	(using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits))
	(No client certificate requested)
	by smtp.subspace.kernel.org (Postfix) with ESMTPS id 9F38F48B38A
	for <linux-kernel@vger.kernel.org>; Tue,  5 May 2026 21:13:26 +0000 (UTC)
Authentication-Results: smtp.subspace.kernel.org;
 arc=none smtp.client-ip=209.85.128.42
ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116;
	t=1778015608; cv=none;
 b=AT1DVYEUqjAR+5elekWzFk2khTyYSAXHlfaTnMCYcCGU2+2pU9BpjnejeRTF/bfGREjUMm4oxG/ok+p3v0QG3j8/UvADW+W4gRhyUQ6oVZg2nz86cICpgARHs3E9iIgsPsqAeL1z5Cy+Zj3g/iAw5zB29u1auCW4DgppJHASD6A=
ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org;
	s=arc-20240116; t=1778015608; c=relaxed/simple;
	bh=23flgCKPmr/64LZQVG5CYe9gxCAybtMU8IEcjYVeovQ=;
	h=From:To:Cc:Subject:Date:Message-ID:In-Reply-To:References:
	 MIME-Version;
 b=Quy6XGQVJ/Zm8cmqnlZKdakiZxBz5UqoD1ckLKioLLydTVUP/sPlQ0P8V2pQzgKlJmaSfUeVeou04+cknkChA82YoOtQnuDOJw0IJerRS7UOHU+iZlsSxV/cJU11hDn4m4VIl7YsZtSlJZXWnCb9P400TxXN2X0gV8tg64RkmYI=
ARC-Authentication-Results: i=1; smtp.subspace.kernel.org;
 dmarc=pass (p=none dis=none) header.from=gmail.com;
 spf=pass smtp.mailfrom=gmail.com;
 dkim=pass (2048-bit key) header.d=gmail.com header.i=@gmail.com
 header.b=IAZzVyZ1; arc=none smtp.client-ip=209.85.128.42
Authentication-Results: smtp.subspace.kernel.org;
 dmarc=pass (p=none dis=none) header.from=gmail.com
Authentication-Results: smtp.subspace.kernel.org;
 spf=pass smtp.mailfrom=gmail.com
Authentication-Results: smtp.subspace.kernel.org;
	dkim=pass (2048-bit key) header.d=gmail.com header.i=@gmail.com
 header.b="IAZzVyZ1"
Received: by mail-wm1-f42.google.com with SMTP id
 5b1f17b1804b1-4893940bb5eso31421835e9.3
        for <linux-kernel@vger.kernel.org>;
 Tue, 05 May 2026 14:13:26 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=gmail.com; s=20251104; t=1778015605; x=1778620405;
 darn=vger.kernel.org;
        h=content-transfer-encoding:mime-version:references:in-reply-to
         :message-id:date:subject:cc:to:from:from:to:cc:subject:date
         :message-id:reply-to;
        bh=MV8sC4ksQylO6CsH5rg4mb+3+8qM/80Gf6RZW/LIH2k=;
        b=IAZzVyZ1lkF1Nr1iel3VY+5X1gFUt7gFjDNwuxMMWeFZ6xgAZnu8q9LiFm+k+u3n0K
         sv2LzMwDyl5rDrrT5DYANlYotzeX+/DrDF7V5bkWGaO7Hip6T0usC/ODrYLykejgUo/G
         hitvfRW4XXKwBuTcB7Plkg118H9DyyjUvTib6T9T6xV+VtXbFowZM43rK8Zn2JFIVDQf
         3H04mdC9aTq9Exu9daLrl0BNtbJ9SoTpdk1wucADkp+xflYVM6aSuX8dQgym5gM45AqZ
         BKGVu7GkIT7QZ//Nqjx6FmvbO8fHGKuqlWYuNlAlot7p2DyYQYcihHWqAP1oQX/EMTjc
         IOtw==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=1e100.net; s=20251104; t=1778015605; x=1778620405;
        h=content-transfer-encoding:mime-version:references:in-reply-to
         :message-id:date:subject:cc:to:from:x-gm-gg:x-gm-message-state:from
         :to:cc:subject:date:message-id:reply-to;
        bh=MV8sC4ksQylO6CsH5rg4mb+3+8qM/80Gf6RZW/LIH2k=;
        b=QRhfsLD8l8aher2/XAwNPnrblKwlSTDPIBK1d5w1hoS0JxCVLjy+JFeZronUR8YHOi
         Srkia2l89IYhU6TIT4wBCxHiw5fa1E308xrJI4N0JfW1nCyCMzBuiHh5oyKN+w+cDPdS
         V/a4N5rc6LBdgTnPQGCBePJJdzZsvP92g8B9FmFxe/8T6rHt/SHCIkSn375IvsOhucz0
         jBgTe5g8KoeS2SmsYf+k53CUm9bi35ygq7HlGvxlixctro8VBtbOBQziMu+8uMRfGyaR
         n17pWB1hanM8um5nCtjreEau8EOlnfZP+RfJQIIYUCHCaRh6cv8E220sJaBDG5EdYoaS
         2zag==
X-Forwarded-Encrypted: i=1;
 AFNElJ+9maY0W3yhh2ounC48+fq8A/HQAKwpNHQGPetEq+AySNjmigNUS2QtOpbIMkouq9ni2F+zATuAIxu08GY=@vger.kernel.org
X-Gm-Message-State: AOJu0YxnSjpnyQmBOL+m2LmObOigHpKDBOXxSxbjCgjI/JRbTZ+tJjMt
	l3rcI87CV3Agibm01W6Py33F7jYOI8WwMyigN27HgxvYj7aTjXzNWES5eSXbuZkU
X-Gm-Gg: AeBDies14NWtnkI1k9RSQdXlgdzqJIZDbaIKEhrHeHpdI6EwMuGa33nHMoqNgQ/Dph9
	PgO9yIfOizPVQO5ULiwQaeE8FAlgXVfJzeDjo3C9pDz3vtrgm2RT6bedLjTRw6LJmcZgTpeopRs
	Zg4fJeQAfrnSv3Ql5t8pW5zgBJuvsLrD0aVzCTarzp3HNxOsAxDbRq9A1+d57iYkbdOzaCdYP3n
	pOWG0af5ApkSxnPlkHtskEpClahHhHk0GHNPcRSw3HT5lo7VSQhhsPdaWz8LwdMMevkoj0FhW0m
	e2c47v4X9wEJbAW1BvUcAD6s4xy02ORTuFX/dOUrcQt4K9FGR4e85VtMoXIVk9beVYr5JTxTtFV
	tzh5NlZ13CVJdEQ558NUW7mSAYeZFaa1pZ9UUwZUfkQkaW4CDI5evKesmluNZqKS9sHS7Q53Mr4
	Wszm21Td/LHa6Ol6pVmxBulnpBzraqVOySlhoO6uKOdL1M76fM+fOL+rss04s6UjWA6VWLLwmp3
	oME/BKgYtRXpHfZXYV5l7qwYbViv2EKoYvoi9FphgGd4/maJqJQvP4IdL/N07CqsubEK4Y=
X-Received: by 2002:a05:600c:4f53:b0:48a:5565:ec3d with SMTP id
 5b1f17b1804b1-48e51f44577mr13674245e9.22.1778015605001;
        Tue, 05 May 2026 14:13:25 -0700 (PDT)
Received: from ahossu.localdomain ([82.78.232.184])
        by smtp.gmail.com with ESMTPSA id
 5b1f17b1804b1-48a8eb6fffcsm403400045e9.4.2026.05.05.14.13.23
        (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256);
        Tue, 05 May 2026 14:13:24 -0700 (PDT)
From: Alexandru Hossu <hossu.alexandru@gmail.com>
To: gregkh@linuxfoundation.org,
	linux-staging@lists.linux.dev,
	linux-kernel@vger.kernel.org
Cc: error27@gmail.com,
	stable@vger.kernel.org,
	luka.gejak@linux.dev,
	hansg@kernel.org,
	Alexandru Hossu <hossu.alexandru@gmail.com>
Subject: [PATCH v7 1/2] staging: rtl8723bs: fix Challenge Text IE length
 checks in OnAuthClient() and OnAuth()
Date: Tue,  5 May 2026 23:13:15 +0200
Message-ID: <20260505211316.3837020-2-hossu.alexandru@gmail.com>
X-Mailer: git-send-email 2.53.0
In-Reply-To: <20260505211316.3837020-1-hossu.alexandru@gmail.com>
References: <2026050453-scorer-rebate-3898@gregkh>
 <20260505211316.3837020-1-hossu.alexandru@gmail.com>
Precedence: bulk
X-Mailing-List: linux-kernel@vger.kernel.org
List-Id: <linux-kernel.vger.kernel.org>
List-Subscribe: <mailto:linux-kernel+subscribe@vger.kernel.org>
List-Unsubscribe: <mailto:linux-kernel+unsubscribe@vger.kernel.org>
MIME-Version: 1.0
Content-Transfer-Encoding: quoted-printable
Content-Type: text/plain; charset="utf-8"

Two functions process Challenge Text IEs without verifying that the IE
length matches the 128-byte buffer:

1. OnAuthClient() shared key path (STA mode).

   rtw_get_ie() returns the raw IE length from the received frame,
   which can be up to 255.  This length is used directly in memcpy()
   into chg_txt[128] with no bounds check, allowing a heap overflow of
   up to 127 bytes when a rogue AP sends an Auth seq=3D2 frame with a
   Challenge Text IE longer than 128 bytes.

2. OnAuth() sequence 3 path (AP mode).

   When a STA completes shared-key authentication, OnAuth() calls
   rtw_get_ie() to find the Challenge Text IE, checks only that the
   IE is present and has nonzero length, then calls
   memcmp((p + 2), pstat->chg_txt, 128).  If a rogue STA sends a
   Challenge Text IE shorter than 128 bytes, memcmp reads past the
   end of the IE payload into adjacent packet data, causing an
   out-of-bounds read.

IEEE 802.11 mandates the Challenge Text element carries exactly 128
bytes of challenge data.  Add len !=3D sizeof(pmlmeinfo->chg_txt) and
ie_len !=3D sizeof(pstat->chg_txt) guards to reject any element whose
length field does not match.

Fixes: 554c0a3abf21 ("staging: Add rtl8723bs sdio wifi driver")
Cc: stable@vger.kernel.org
Signed-off-by: Alexandru Hossu <hossu.alexandru@gmail.com>
---
Changes in v7:
  - No code changes from v6; dropping Reviewed-by: Dan Carpenter because
    patch 2/2 changes code from the reviewed version.

 drivers/staging/rtl8723bs/core/rtw_mlme_ext.c | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/drivers/staging/rtl8723bs/core/rtw_mlme_ext.c b/drivers/stagin=
g/rtl8723bs/core/rtw_mlme_ext.c
index 5f00fe282d1b..dd3c94d314d8 100644
--- a/drivers/staging/rtl8723bs/core/rtw_mlme_ext.c
+++ b/drivers/staging/rtl8723bs/core/rtw_mlme_ext.c
@@ -802,7 +802,7 @@ unsigned int OnAuth(struct adapter *padapter, union rec=
v_frame *precv_frame)
 			p =3D rtw_get_ie(pframe + WLAN_HDR_A3_LEN + 4 + _AUTH_IE_OFFSET_, WLAN_=
EID_CHALLENGE, (int *)&ie_len,
 					len - WLAN_HDR_A3_LEN - _AUTH_IE_OFFSET_ - 4);
=20
-			if (!p || ie_len <=3D 0) {
+			if (!p || ie_len !=3D sizeof(pstat->chg_txt)) {
 				status =3D WLAN_STATUS_CHALLENGE_FAIL;
 				goto auth_fail;
 			}
@@ -891,7 +891,7 @@ unsigned int OnAuthClient(struct adapter *padapter, uni=
on recv_frame *precv_fram
 			p =3D rtw_get_ie(pframe + WLAN_HDR_A3_LEN + _AUTH_IE_OFFSET_, WLAN_EID_=
CHALLENGE, (int *)&len,
 				pkt_len - WLAN_HDR_A3_LEN - _AUTH_IE_OFFSET_);
=20
-			if (!p)
+			if (!p || len !=3D sizeof(pmlmeinfo->chg_txt))
 				goto authclnt_fail;
=20
 			memcpy(pmlmeinfo->chg_txt, p + 2, len);
--=20
2.53.0
From nobody Sat Jun 13 19:10:24 2026
Received: from mail-wm1-f45.google.com (mail-wm1-f45.google.com
 [209.85.128.45])
	(using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits))
	(No client certificate requested)
	by smtp.subspace.kernel.org (Postfix) with ESMTPS id 3FEA84949EB
	for <linux-kernel@vger.kernel.org>; Tue,  5 May 2026 21:13:28 +0000 (UTC)
Authentication-Results: smtp.subspace.kernel.org;
 arc=none smtp.client-ip=209.85.128.45
ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116;
	t=1778015609; cv=none;
 b=Iiyv+KQPz2rRCYA+ledaz/HyNhN08CNLhsZIeuV0riVF+FBD9kpxi3rJBGfIa0m0X6QYykcM8OS4Q//9ASFynM4ftW1KvyMix81tZw/zkd1lhPhdcfoGhAU/JByfyBg/BV8p5hmqtpmrfoC+mS0uzuZ0UUm3xkRfB8mTVKJ35hY=
ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org;
	s=arc-20240116; t=1778015609; c=relaxed/simple;
	bh=yeZk9yOeTk35adoPsJ72JURTsAZ9MYmWZqZL5l4j7yw=;
	h=From:To:Cc:Subject:Date:Message-ID:In-Reply-To:References:
	 MIME-Version;
 b=qMp1YyI6kBOqhVzayrjFjkT/qyBhhPt6MClukcZAUq5jMHz0JGxbTUXZairFsLmG0vFYWTUKxjhfp1f8r0L11c5dQGG7O+JONkymVMwjZUp5BHGEHPdCf3O437uRXJRKe/wEs3gxQ7MLnH2C/Y3g6YfohWT331UnK2s5z1vPIUE=
ARC-Authentication-Results: i=1; smtp.subspace.kernel.org;
 dmarc=pass (p=none dis=none) header.from=gmail.com;
 spf=pass smtp.mailfrom=gmail.com;
 dkim=pass (2048-bit key) header.d=gmail.com header.i=@gmail.com
 header.b=fb4l/Sts; arc=none smtp.client-ip=209.85.128.45
Authentication-Results: smtp.subspace.kernel.org;
 dmarc=pass (p=none dis=none) header.from=gmail.com
Authentication-Results: smtp.subspace.kernel.org;
 spf=pass smtp.mailfrom=gmail.com
Authentication-Results: smtp.subspace.kernel.org;
	dkim=pass (2048-bit key) header.d=gmail.com header.i=@gmail.com
 header.b="fb4l/Sts"
Received: by mail-wm1-f45.google.com with SMTP id
 5b1f17b1804b1-488b0e1b870so89430905e9.2
        for <linux-kernel@vger.kernel.org>;
 Tue, 05 May 2026 14:13:27 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=gmail.com; s=20251104; t=1778015607; x=1778620407;
 darn=vger.kernel.org;
        h=content-transfer-encoding:mime-version:references:in-reply-to
         :message-id:date:subject:cc:to:from:from:to:cc:subject:date
         :message-id:reply-to;
        bh=3D1fo51a+Fqwvih6rAM0AOM8n9BMVTDWYpVR0qTGxW4=;
        b=fb4l/StslmsqnVs/TBjJhheYSqqJc+SMl8VCMXRwLW2mnv608bLdILWLhHoLN3iZ9W
         2XjQmXQphTMct01lV2KsFp9wOEf8IcSSjBExdtbtywDKbVE9F6EZevUSK6/A3YRFd5CD
         Z3LaogPUlFIDEfHGSHrW6GVsU7XHAk+ZLzoiH2K8yGU5XvZAX5p2XqvZCifH5uf6n0xK
         rW4A3/zApDJVQvuqyT8WgdU8f54duL47p2DClyTluldLnW/k+Kl/75FIZg4k0Dv8/6lo
         kFGagudYkjtM00Fa0pWaAfuMWH5Az+Sp6m1RsOdagHCDReI6wpNfe+LG6EFdDQ7tHCuc
         Ndzg==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=1e100.net; s=20251104; t=1778015607; x=1778620407;
        h=content-transfer-encoding:mime-version:references:in-reply-to
         :message-id:date:subject:cc:to:from:x-gm-gg:x-gm-message-state:from
         :to:cc:subject:date:message-id:reply-to;
        bh=3D1fo51a+Fqwvih6rAM0AOM8n9BMVTDWYpVR0qTGxW4=;
        b=qE4fSqnzgMxpqzZg9uQp3OXaBjRUuIHaOyiUtMax/kEBPwWIfIUxOXolNWfNiL7CSc
         7r+AK41yiwo/6QZV4o0x/UoMmNyzazsCmJjh+Kvc0nQy1J5fGWMqHXGznN/dVsCvO3z4
         zy7kE0J33d9rRB1LwTQs6n4lrUfUkPln72DdgmTKrrJNIzFgLs71Jqr/f/IWEqDcJe7D
         POxhqyYtaDEUAQs6UOs00oBpo9EV0nx2u2r/MM2161KXpJPS7D6qvvS3f5rhcQwRke+q
         nCqiNUyptw139WDe6bdAkzRCao1FConQUtswM6Y4PH6200RnV4iqv41y+L1UGdJT5mlu
         OaFw==
X-Forwarded-Encrypted: i=1;
 AFNElJ934br370yjLK+ISZkFPi5TrA3qkvH8gs2O3EdW+Bro3PdCIIZAOLUrQg1Z2UiaYfI/tTxX0qbvGAI6DyA=@vger.kernel.org
X-Gm-Message-State: AOJu0YyTCAXxfozshLtwPcQM26ay88bsaJQ2RsFm5bZIwCGWpfKo0Qed
	9erNEtXeu5dK81FAiBnPeA8JrJ/aQDmCNVDNsdmW8tozEGhek0vg+oKjyZAOxC9K
X-Gm-Gg: AeBDieuqHsQjHRrJ7t5+Ck9MCzcZJLbgwuOs4zTMMMii9NuRA0y5JqgQmA2i5SIwzuk
	hH5NWDs6C7geJE0TCZud+eILg+PxQI+kiFHoJIQ8vuWIeLyEJUPLW9AiOoM6dI4hE+wkQJFRahT
	SPA7DD5v56xQWwFA+blMmtIRdqRF4bc+/LDjEpPUuHNZidkG26I0IgFZpAMmVwMTzpk4f4HumAj
	6Sr3igCpEsmsKA7ifI54JvaxGlSg6k3PLL7wWl2LpozSbel5/P9oSF3Q2J2YckCP4EcHpxvotb2
	JVh0KNITIMZN4vP/Q8CKVMkQheju3FWj/nc9MMyXtWRH9iuJSA3hbtGZS/EKMbH2HDJq7fmSbTV
	LlqIakF223KHQDCLwuxdmtJjAiBOP31HcANnYxgdxB3hrRj2bG36L3BDLLhevWV4CF5GB9CVLTk
	qaMGnfQfFDF7OowXx0gSEgOEOAzKhXfR7e/WnSAIuKd3atcwL/HlUIYPSIRgnxXO208f/+jTSfD
	bec5CNPQQYrmX2ovAgyUKnSv9AIOePOkFP+sRxaN4ls8zlpxzNeFt1TyJFFtKuZ5GzkD6A=
X-Received: by 2002:a05:600c:b8a:b0:48a:5574:3a48 with SMTP id
 5b1f17b1804b1-48e51f32bf7mr12038625e9.16.1778015606400;
        Tue, 05 May 2026 14:13:26 -0700 (PDT)
Received: from ahossu.localdomain ([82.78.232.184])
        by smtp.gmail.com with ESMTPSA id
 5b1f17b1804b1-48a8eb6fffcsm403400045e9.4.2026.05.05.14.13.25
        (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256);
        Tue, 05 May 2026 14:13:25 -0700 (PDT)
From: Alexandru Hossu <hossu.alexandru@gmail.com>
To: gregkh@linuxfoundation.org,
	linux-staging@lists.linux.dev,
	linux-kernel@vger.kernel.org
Cc: error27@gmail.com,
	stable@vger.kernel.org,
	luka.gejak@linux.dev,
	hansg@kernel.org,
	Alexandru Hossu <hossu.alexandru@gmail.com>
Subject: [PATCH v7 2/2] staging: rtl8723bs: fix missing frame length checks in
 OnAuth() and OnAuthClient()
Date: Tue,  5 May 2026 23:13:16 +0200
Message-ID: <20260505211316.3837020-3-hossu.alexandru@gmail.com>
X-Mailer: git-send-email 2.53.0
In-Reply-To: <20260505211316.3837020-1-hossu.alexandru@gmail.com>
References: <2026050453-scorer-rebate-3898@gregkh>
 <20260505211316.3837020-1-hossu.alexandru@gmail.com>
Precedence: bulk
X-Mailing-List: linux-kernel@vger.kernel.org
List-Id: <linux-kernel.vger.kernel.org>
List-Subscribe: <mailto:linux-kernel+subscribe@vger.kernel.org>
List-Unsubscribe: <mailto:linux-kernel+unsubscribe@vger.kernel.org>
MIME-Version: 1.0
Content-Transfer-Encoding: quoted-printable
Content-Type: text/plain; charset="utf-8"

Four out-of-bounds read paths caused by missing frame length guards:

1. OnAuth() reads GetAddr2Ptr (pframe + 10) without verifying the frame
   is at least WLAN_HDR_A3_LEN bytes long.

   The first operation on pframe after the AP-state guard is
   GetAddr2Ptr(pframe), which reads 6 bytes at offset 10..15 (Addr2).
   If the received frame is shorter than WLAN_HDR_A3_LEN (24 bytes),
   this reads past the end of the frame buffer.  Add:
     if (len < WLAN_HDR_A3_LEN) goto auth_fail;

2. OnAuth() reads the algorithm and sequence fields at pframe +
   WLAN_HDR_A3_LEN + offset + {0,2} without verifying that those
   offsets are within the frame.

   offset is 0 for an open-system frame and 4 for a WEP-encapsulated
   frame.  The reads at offset+0 and offset+2 are both 2-byte, so the
   last byte accessed is at WLAN_HDR_A3_LEN + offset + 3.  A crafted
   short frame causes an out-of-bounds read.  Add:
     if (len < WLAN_HDR_A3_LEN + offset + 4) goto auth_fail;

3. OnAuthClient() calls get_da(pframe) without verifying the frame is
   at least WLAN_HDR_A3_LEN bytes long.

   get_da() inspects the ToDs and FrDs bits in Frame Control (bytes
   0..1) and returns either Addr1 (bytes 4..9) or Addr3 (bytes 16..21).
   A frame shorter than WLAN_HDR_A3_LEN (24 bytes) causes an
   out-of-bounds read in either case.  Add:
     if (pkt_len < WLAN_HDR_A3_LEN) goto authclnt_fail;

4. OnAuthClient() reads the sequence field at pframe + WLAN_HDR_A3_LEN
   + offset + 2 and the status field at offset + 4 without verifying
   those offsets are within the frame.

   offset is 0 for open-system and 4 for WEP.  The status read at
   offset+4 is 2 bytes, so the last byte accessed is at
   WLAN_HDR_A3_LEN + offset + 5.  Add:
     if (pkt_len < WLAN_HDR_A3_LEN + offset + 6) goto authclnt_fail;

Note: a previous version of this patch claimed that the signed/unsigned
mismatch in the rtw_get_ie() limit parameter caused an out-of-bounds
scan when pkt_len < WLAN_HDR_A3_LEN + _AUTH_IE_OFFSET_.  This is
incorrect: rtw_get_ie() declares its limit as signed int, so the
wrapped unsigned value is reinterpreted as a large negative number,
which is immediately caught by the if (limit < 2) return NULL; guard
inside rtw_get_ie().  The actual out-of-bounds reads are the four
direct pframe dereferences listed above.

OnAssocRsp() was already fixed by a separate series.

Fixes: 554c0a3abf21 ("staging: Add rtl8723bs sdio wifi driver")
Cc: stable@vger.kernel.org
Signed-off-by: Alexandru Hossu <hossu.alexandru@gmail.com>
---
Changes in v7:
  - Add frame length checks for OnAuth(): guard before GetAddr2Ptr (len <
    WLAN_HDR_A3_LEN) and guard before algorithm/seq reads (len <
    WLAN_HDR_A3_LEN + offset + 4) (sashiko review of v6).
  - Correct commit message: remove incorrect claim that rtw_get_ie()
    unsigned underflow causes OOB scan; rtw_get_ie() uses signed int
    limit and returns NULL when limit < 2 (sashiko review of v6).

Changes in v6:
  - Add frame length checks for OnAuthClient(): guard before get_da()
    (pkt_len < WLAN_HDR_A3_LEN) and guard before seq/status reads
    (pkt_len < WLAN_HDR_A3_LEN + offset + 6).
  - Correct commit message: OnAssocRsp() was already fixed in a
    separate series.

 drivers/staging/rtl8723bs/core/rtw_mlme_ext.c | 12 ++++++++++++
 1 file changed, 12 insertions(+)

diff --git a/drivers/staging/rtl8723bs/core/rtw_mlme_ext.c b/drivers/stagin=
g/rtl8723bs/core/rtw_mlme_ext.c
index dd3c94d314d8..b42eab61d8a8 100644
--- a/drivers/staging/rtl8723bs/core/rtw_mlme_ext.c
+++ b/drivers/staging/rtl8723bs/core/rtw_mlme_ext.c
@@ -687,6 +687,9 @@ unsigned int OnAuth(struct adapter *padapter, union rec=
v_frame *precv_frame)
 	if ((pmlmeinfo->state&0x03) !=3D WIFI_FW_AP_STATE)
 		return _FAIL;
=20
+	if (len < WLAN_HDR_A3_LEN)
+		goto auth_fail;
+
 	sa =3D GetAddr2Ptr(pframe);
=20
 	auth_mode =3D psecuritypriv->dot11AuthAlgrthm;
@@ -709,6 +712,9 @@ unsigned int OnAuth(struct adapter *padapter, union rec=
v_frame *precv_frame)
 		offset =3D 4;
 	}
=20
+	if (len < WLAN_HDR_A3_LEN + offset + 4)
+		goto auth_fail;
+
 	algorithm =3D le16_to_cpu(*(__le16 *)((SIZE_PTR)pframe + WLAN_HDR_A3_LEN =
+ offset));
 	seq	=3D le16_to_cpu(*(__le16 *)((SIZE_PTR)pframe + WLAN_HDR_A3_LEN + offs=
et + 2));
=20
@@ -860,6 +866,9 @@ unsigned int OnAuthClient(struct adapter *padapter, uni=
on recv_frame *precv_fram
 	u8 *pframe =3D precv_frame->u.hdr.rx_data;
 	uint pkt_len =3D precv_frame->u.hdr.len;
=20
+	if (pkt_len < WLAN_HDR_A3_LEN)
+		goto authclnt_fail;
+
 	/* check A1 matches or not */
 	if (memcmp(myid(&(padapter->eeprompriv)), get_da(pframe), ETH_ALEN))
 		return _SUCCESS;
@@ -869,6 +878,9 @@ unsigned int OnAuthClient(struct adapter *padapter, uni=
on recv_frame *precv_fram
=20
 	offset =3D (GetPrivacy(pframe)) ? 4 : 0;
=20
+	if (pkt_len < WLAN_HDR_A3_LEN + offset + 6)
+		goto authclnt_fail;
+
 	seq	=3D le16_to_cpu(*(__le16 *)((SIZE_PTR)pframe + WLAN_HDR_A3_LEN + offs=
et + 2));
 	status	=3D le16_to_cpu(*(__le16 *)((SIZE_PTR)pframe + WLAN_HDR_A3_LEN + o=
ffset + 4));
=20
--=20
2.53.0