1. Patchew
  2. linux
  3. View series

[PATCH v8 0/1] staging: rtl8723bs: fix missing frame length checks in OnAuth()

Alexandru Hossu posted 1 patch 1 month ago 
drivers/staging/rtl8723bs/core/rtw_mlme_ext.c | 11 +++++++++++
1 file changed, 11 insertions(+)
[PATCH v8 0/1] staging: rtl8723bs: fix missing frame length checks in OnAuth()
Posted by Alexandru Hossu 1 month ago 
v8, addressing the sashiko review comments on v7.

The Challenge Text IE checks from v7 patch 1 and the OnAuthClient
frame length checks from v7 patch 2 are already in your tree:

  9d6d63cf3c37 ("staging: rtl8723bs: fix heap overflow in OnAuthClient shared key path")
  6ad4395aab1e ("staging: rtl8723bs: fix missing frame length checks in OnAuthClient")

This single patch adds the remaining fix: frame length guards for the
AP-mode handler OnAuth().

What changed in v8 (compared to v7 patch 2/2):

  - The len < WLAN_HDR_A3_LEN guard uses return _FAIL instead of goto
    auth_fail.  The auth_fail block calls memcpy(pstat->hwaddr, sa, ...)
    to build a rejection frame.  At that point sa has not been
    initialised, so goto auth_fail would copy stack garbage into the
    rejection frame's destination address.  Since we cannot build a
    meaningful rejection without knowing the sender, return _FAIL is
    the correct choice.

  - A new guard is added before the iv[3] key-index read inside the
    GetPrivacy() branch.  When the Privacy bit is set, the code computes
    iv = pframe + WLAN_HDR_A3_LEN and immediately reads iv[3] without
    verifying that len >= WLAN_HDR_A3_LEN + 4.  This was a new OOB read
    path not present in any earlier version of the patch.

  - The len < WLAN_HDR_A3_LEN + offset + 4 check now sets
    status = WLAN_STATUS_UNSPECIFIED_FAILURE before goto auth_fail so
    that the rejection frame carries a defined status code rather than
    whatever happened to be on the stack.

Alexandru Hossu (1):
  staging: rtl8723bs: fix missing frame length checks in OnAuth()

 drivers/staging/rtl8723bs/core/rtw_mlme_ext.c | 11 +++++++++++
 1 file changed, 11 insertions(+)
--
2.53.0
Re: [PATCH v8 0/1] staging: rtl8723bs: fix missing frame length checks in OnAuth()
Posted by Greg KH 3 weeks, 1 day ago 
On Mon, May 11, 2026 at 08:53:13PM +0200, Alexandru Hossu wrote:
> v8, addressing the sashiko review comments on v7.
> 
> The Challenge Text IE checks from v7 patch 1 and the OnAuthClient
> frame length checks from v7 patch 2 are already in your tree:
> 
>   9d6d63cf3c37 ("staging: rtl8723bs: fix heap overflow in OnAuthClient shared key path")
>   6ad4395aab1e ("staging: rtl8723bs: fix missing frame length checks in OnAuthClient")
> 
> This single patch adds the remaining fix: frame length guards for the
> AP-mode handler OnAuth().

Still more comments:
	https://sashiko.dev/#/patchset/20260511185314.1625375-2-hossu.alexandru@gmail.com

Patchew 2.1-devel-ea86937

© 2016 - 2026 Red Hat, Inc.