From nobody Sun May 24 19:34:54 2026 Received: from mail-ej1-f41.google.com (mail-ej1-f41.google.com [209.85.218.41]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id 0BD6128469B for ; Fri, 22 May 2026 00:46:40 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=209.85.218.41 ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1779410802; cv=none; b=MDCBMBBZugqjiIALb/v7yoFaxPLagXwwYbWrVOrR0FuqUYcOAgFa5WsZL6i+zRMkXh1sdDMp1wjsW95iHDSFyZ1u3av21VhpqoxWxUvVBGRQgs7F8dNuM3et5H/8ZdfAOVoEo/OAzix2XPglw4jwyByotJY0PsMkx48EgXALKRc= ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1779410802; c=relaxed/simple; bh=hF1f/XhdiP2YvKEyxu0ITp6VH91xQhL3/cp96Q6vKMo=; h=From:To:Cc:Subject:Date:Message-ID:In-Reply-To:References: MIME-Version; b=DDbqEECGP+tQrP9Azmd+oFIT8OHgcXm2WqT/LwseYD8GuOLX2qXzKWEISo452a7w4FVJnbm3s4V2on8YBZt4C0uEo3GsMbW0ojArF/LHv4rnzC1UtyHmdDHATSt8rUAux9DT7dyFdJ7pIoMIIWsmhLqIpW/RlQQ1XcNvcZaFlz8= ARC-Authentication-Results: i=1; smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=gmail.com; spf=pass smtp.mailfrom=gmail.com; dkim=pass (2048-bit key) header.d=gmail.com header.i=@gmail.com header.b=p2Gy4ed9; arc=none smtp.client-ip=209.85.218.41 Authentication-Results: smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=gmail.com Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=gmail.com Authentication-Results: smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=gmail.com header.i=@gmail.com header.b="p2Gy4ed9" Received: by mail-ej1-f41.google.com with SMTP id a640c23a62f3a-bd22b2abaa4so1159443766b.0 for ; Thu, 21 May 2026 17:46:40 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20251104; t=1779410799; x=1780015599; darn=vger.kernel.org; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:from:to:cc:subject:date :message-id:reply-to; bh=Iqsl5WA4SGGND602OHgH3TwkzAtPkOunkBnoxgSNAEA=; b=p2Gy4ed9gkKapMGai/c/8/WvLvDBHe11KCgucuOox4bfH1g1dYl6UcWuY89xm/UsyS 6XujcE9kh0vJgPxIEkqlhdP9FxhNdPl7gnxUYd4FRnRxSff3mEuSS3axQXwAeenboAXN szwmPcao6ht/GGVL7LhhdMqL18uE7ZXOuEgmejWY/n9P9I9PfE4wLn+ajyLLwztbSVGk fBlWz4bBcB4bZoys4fjLwbJnH/QLjmChbCCiUhA8BOzzhsNeYB0YqyUrc8EunSXLhatN le6INO+kum1Pd3V/UijEpTIKOApfFxWd4jk6qSr3itWC1OZ3lH+g61LZ0zgI/n930UM0 ypng== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20251104; t=1779410799; x=1780015599; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:x-gm-gg:x-gm-message-state:from :to:cc:subject:date:message-id:reply-to; bh=Iqsl5WA4SGGND602OHgH3TwkzAtPkOunkBnoxgSNAEA=; b=nTSQ5b9vf5CkwsPet5Q+wNdOVBasGgSPBqMc9YYefSDCTJxfRku7JkwBeMXD9UYWm6 qoq01mCZbtlQ60R5HaRG1zMr8P7uuTz8L4nVvTZhSVS/IajM6fI4bm/6MYi6yCWzpd7y kIdBAZu3svkocrQpSZj+fRdF/Yee7cZuFAdid8fE4ExCzJYrsIyi3PY4UmmauNkVIj4p A1v3PtbfuqrCcOVcxYa9ywsJKjlsUxRtxjUL31EDJ7HUaNCSEI1tN3Hnae6Q3gzajgZa 6bAJNN3U5Aid43p5a6kn2UfW01UkOqMfR7WYUNkfVsAsvx7vKGJz7HaPovZXWbcFhkbW 9oPg== X-Forwarded-Encrypted: i=1; AFNElJ9OePxcvHZfQQRrVKJUTdRGo2GJlERj4jdI138ZzDdWkzQQuM8YiuoOj2EKuDAOOoWTf5dUQwNKZXAaOH8=@vger.kernel.org X-Gm-Message-State: AOJu0YwUyPOZPya0ets66KQF9Oh4RPdPhsByCLAijRAz43iJccJAHxnC yEFuBRsRpuMaS6KdfxqtDLkPcqwOR5/MXXdiv+63SK2+Tym/p9IKMyvA X-Gm-Gg: Acq92OEPEQ4DmfOal+RcRyzeuNSluafHBDuHuucDxUY1V+f44axnOJht2RyxyZbalvs 6Op0dB6dSiyC31N/i1p5rEJbwNxG8hHQhIxsODmmw3EQD6SG4Rjh+LNfXfrC6f7HEjcJB8WmGkJ vMEpUa6MY8SRFQfDml1+L9bxD4jIqEabT6gizkpDoqkInVSLXyPvVY3Gcnbx+X8Janp/m9VvF5R epwQR53LfopsrChtFSKNCMdnKFXFMNIt2dvUE3lxfL19ESQ8W0PECdsJi9kTMCFFL1vsFXTGgWd gr0w23nnmSgRVhtYDL5UrSMF1Vb1xCBzP3/PmGXqZ2B6av0u+vxt00Kyphvt2R3Z5uEnDnnaRI0 FDr+byh+p04BxPhHWF3tnM5vZPwD7aLx5zWx/M/msxzmOsl62MjreOZVpxJ1TsAhGi4qN0c9tEI WvSLLOUzdPZBtGlKFIAdMCkd+6O5YkxqUDEg1pw+D3hljIJ8yc/advANqCb40pOpRZccuZEffic Ya1TMFAEn2OmPia09Nb6A2Gvmkm9EwGTYJw4SbDf3fCNzA5rV8/Wo/w9B3H8q8nF7Wb/5Nh3foc 0LCTxrF4DE2xvWYvvtfcUYpQlkGm45CO+C7+QDc= X-Received: by 2002:a17:906:dc8b:b0:bd4:b787:f1d6 with SMTP id a640c23a62f3a-bdd2542d83fmr82049366b.6.1779410799134; Thu, 21 May 2026 17:46:39 -0700 (PDT) Received: from ahossu.localdomain (ip-217-105-56-94.ip.prioritytelecom.net. [217.105.56.94]) by smtp.gmail.com with ESMTPSA id a640c23a62f3a-bdd75f9cf85sm19122966b.53.2026.05.21.17.46.36 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Thu, 21 May 2026 17:46:37 -0700 (PDT) From: Alexandru Hossu To: gregkh@linuxfoundation.org Cc: linux-staging@lists.linux.dev, linux-kernel@vger.kernel.org, Alexandru Hossu , stable@vger.kernel.org Subject: [PATCH v10] staging: rtl8723bs: fix WEP length underflow and OOB read in OnAuth() Date: Fri, 22 May 2026 02:46:05 +0200 Message-ID: <20260522004605.1039209-1-hossu.alexandru@gmail.com> X-Mailer: git-send-email 2.54.0 In-Reply-To: <20260521130324.754100-1-hossu.alexandru@gmail.com> References: <20260521130324.754100-1-hossu.alexandru@gmail.com> Precedence: bulk X-Mailing-List: linux-kernel@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 Content-Transfer-Encoding: quoted-printable Content-Type: text/plain; charset="utf-8" OnAuth() has two bugs in the shared-key authentication path. When the Privacy bit is set, rtw_wep_decrypt() is called without verifying that the frame is long enough to contain a valid WEP IV and ICV. Inside rtw_wep_decrypt(), length is computed as: length =3D len - WLAN_HDR_A3_LEN - iv_len and then passed as (length - 4) to crc32_le(). If len is less than WLAN_HDR_A3_LEN + iv_len + icv_len (32 bytes), length - 4 is negative and, after the implicit cast to size_t, causes crc32_le() to read far beyond the frame buffer. Add a minimum length check before accessing the IV field and calling the decryption path. When processing a seq=3D3 response, rtw_get_ie() stores the Challenge Text IE length in ie_len, but the subsequent memcmp() always reads 128 bytes regardless of ie_len. IEEE 802.11 mandates a challenge text of exactly 128 bytes; reject any IE whose length field differs, matching the check already applied to OnAuthClient(). Fixes: 554c0a3abf21 ("staging: Add rtl8723bs sdio wifi driver") Cc: stable@vger.kernel.org Signed-off-by: Alexandru Hossu --- v10: no code changes; add full version history below --- (omitted from v9) v9: add WLAN_HDR_A3_LEN guard and WEP minimum length check before iv[3] access and rtw_wep_decrypt(); tighten ie_len check from <=3D 0 to !=3D 128 to reject under-size challenge IEs v8: standalone patch; change WLAN_HDR_A3_LEN early exit to return _FAIL (sa not yet initialised at that point, goto auth_fail would copy garbage into the rejection frame's destination address); add guard for iv[3] read inside GetPrivacy() branch (len < WLAN_HDR_A3_LEN + 4); set status =3D WLAN_STATUS_UNSPECIFIED_FAILURE before goto auth_fail v7: initial OnAuth fix (sent as [PATCH v7 0/2] 2/2); add frame length guards before GetAddr2Ptr() and before algorithm/seq reads; correct commit message (rtw_get_ie() uses signed int limit and returns NULL when limit < 2, so the unsigned underflow OOB scan claimed in earlier versions cannot occur) v9: https://lore.kernel.org/r/20260521130324.754100-1-hossu.alexandru@gmail= .com v8: https://lore.kernel.org/r/20260511185314.1625375-1-hossu.alexandru@gmai= l.com v7: https://lore.kernel.org/r/20260505211316.3837020-1-hossu.alexandru@gmai= l.com drivers/staging/rtl8723bs/core/rtw_mlme_ext.c | 8 +++++++- 1 file changed, 7 insertions(+), 1 deletion(-) diff --git a/drivers/staging/rtl8723bs/core/rtw_mlme_ext.c b/drivers/stagin= g/rtl8723bs/core/rtw_mlme_ext.c index 68ce422305ed..8575b7bd6d84 100644 --- a/drivers/staging/rtl8723bs/core/rtw_mlme_ext.c +++ b/drivers/staging/rtl8723bs/core/rtw_mlme_ext.c @@ -687,6 +687,9 @@ unsigned int OnAuth(struct adapter *padapter, union rec= v_frame *precv_frame) if ((pmlmeinfo->state&0x03) !=3D WIFI_FW_AP_STATE) return _FAIL; + if (len < WLAN_HDR_A3_LEN) + return _FAIL; + sa =3D GetAddr2Ptr(pframe); auth_mode =3D psecuritypriv->dot11AuthAlgrthm; @@ -698,6 +701,9 @@ unsigned int OnAuth(struct adapter *padapter, union rec= v_frame *precv_frame) prxattrib->hdrlen =3D WLAN_HDR_A3_LEN; prxattrib->encrypt =3D _WEP40_; + if (len < WLAN_HDR_A3_LEN + 8) + return _FAIL; + iv =3D pframe+prxattrib->hdrlen; prxattrib->key_index =3D ((iv[3]>>6)&0x3); @@ -802,7 +808,7 @@ unsigned int OnAuth(struct adapter *padapter, union rec= v_frame *precv_frame) p =3D rtw_get_ie(pframe + WLAN_HDR_A3_LEN + 4 + _AUTH_IE_OFFSET_, WLAN_= EID_CHALLENGE, (int *)&ie_len, len - WLAN_HDR_A3_LEN - _AUTH_IE_OFFSET_ - 4); - if (!p || ie_len <=3D 0) { + if (!p || ie_len !=3D 128) { status =3D WLAN_STATUS_CHALLENGE_FAIL; goto auth_fail; } -- 2.54.0