From nobody Fri Jun 12 23:46:32 2026 Received: from mail-dy1-f178.google.com (mail-dy1-f178.google.com [74.125.82.178]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id A4F8C2C11D7 for ; Tue, 12 May 2026 01:45:02 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=74.125.82.178 ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1778550304; cv=none; b=C5DPLLx102wqsgIbzjIcqzGv9nPfmXRqsv1nJA1Cu5KuXTCzKqLPathexkjCOKOgHHAwvO+gDyS6Xqs6cnL1EpOYv88mrOBl+0nDFcPweiM0OxASUNaPLdpxWTOfUaA6tN/w8fF3bpm2DdDW1quWfJ6FTWPrUKy55SfnFvlCw2M= ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1778550304; c=relaxed/simple; bh=04mrtEa5PdHocCigzzaMYLeTA1Gx1ZWtCa5+sch8j3A=; h=From:To:Cc:Subject:Date:Message-ID:In-Reply-To:References: MIME-Version; b=R6cwMhA8VXizKj6JBgL4woGa/N6dx56P3Nt68hQ9cilrU3PqOWrzEB/WWjv3LSzNk+NVqF9jjM7kxHOqfelijcXTRpZ+4ia5+2oioFzBVEwNX7kRDmecM6UhxFurn9l8Qz+Xj7QqVOsepcCjNPLIJvm06OOqL0CnNHWlvQb2AJk= ARC-Authentication-Results: i=1; smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=gmail.com; spf=pass smtp.mailfrom=gmail.com; dkim=pass (2048-bit key) header.d=gmail.com header.i=@gmail.com header.b=dtAlxA+G; arc=none smtp.client-ip=74.125.82.178 Authentication-Results: smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=gmail.com Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=gmail.com Authentication-Results: smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=gmail.com header.i=@gmail.com header.b="dtAlxA+G" Received: by mail-dy1-f178.google.com with SMTP id 5a478bee46e88-2f7020a928eso6924157eec.1 for ; Mon, 11 May 2026 18:45:02 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20251104; t=1778550302; x=1779155102; darn=vger.kernel.org; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:from:to:cc:subject:date :message-id:reply-to; bh=8RsKAyjFR0CIqyuPNV+dz707ncCEoIu00NYQpJfyiZw=; b=dtAlxA+GUm8Z5RLovRDbklaGFHvQJT4TV5md+qyHbxo+wQbjj1hUZl8kFjgXHNHMr4 WCqyYNKwGBOC8vC1H0Z4EATdgQB7XmfJPIxpHORv+MbTIFXw54XV2j0psVcMml8Ykpyy TReyZh42CczkuxuRCjaIfsvqo1uugrOl4P2Pto02mMghT8n0MnGa58w5KddccllBWWnf BHZiKYEstOUPlnvtyif5VouBzLaaHa7BbQsW1oRM4wXNZVkioqjJHTqA/D5NztgPlIB9 UdKKOU4uYgp0q9LSR5cf/S2ZsTZYo4Qcguq7DGoDzxzyEk8UQaYg6pC4hA5xX5XX7cGt RXsg== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20251104; t=1778550302; x=1779155102; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:x-gm-gg:x-gm-message-state:from :to:cc:subject:date:message-id:reply-to; bh=8RsKAyjFR0CIqyuPNV+dz707ncCEoIu00NYQpJfyiZw=; b=cle/ZjyJJg/YkJ3WECBuNEHhXRrXs9dC+QZNumIkYSW192ndvh7mWMrzlwzNWOGwuD RNUEVH0ft47x7ked30bnqpvZK+aPNPe7NRD3nvDII+TN1cU28/VrIefYWUvh+klpLkeq 4lQOWzvYRSb+bhf6r+w38o2s+5jPCpvhGilqUODI1JurlzQxLneFb+HG/wdRdDXzosRY NcxeOftDlit0EOElfAPQ96q8l8YVD4q035/Wb3nBWrHt1q/9fiE5x9bArI1H59euMrDf YWlchbeC8l2aMjM0MjqMOYj/lz0KBWpP/IeZtNtR/QCJb8eT8rtlZAF6AU0Y+A9dmuvz alYQ== X-Forwarded-Encrypted: i=1; AFNElJ+8PwHCCfE0IMzUcTVhX0Ni2gYCuBwuK/ZvaYrLk29zIvXjcdogmsGLQruVWC6RWxmUY1RmaosPfVOmGJw=@vger.kernel.org X-Gm-Message-State: AOJu0YxPoCNR6KgoB0VhIlXdNJatExJEgaVMJuG4tnfxclCCmNFF5z+C xahzqKyxW7hdHuWWV3VP9pFJcJIBFYLny1oR0xrHww7b6UUtffHM7wLk X-Gm-Gg: Acq92OE+zsUWEhJ4qK/sHEtPBJSJK6aeiPd8B8LstLPNwuHqqI9SgJi17elxg//m/EC ybM/NI7Aobf9u7l6IhPe/nZOcq+14FHeOQiBQDCvmY8mOjRJNrBPsFty+CrzcwZ2fXzr/2xnrkx AxDEjir0ZHyheRXFr3eooUZlFS7zgIBoXg/eF01b9A59kP3AveQUP8FSpRNWoUQv3OFVcP+9bGv J/5EJ3JpjSDTNCWP84hnGVOpEPT2kwt1igDENDuHl1CjKU4KLO4e4el8mRvymzfhT+EULtBqPSA zc4mzWOpPKHrAfwOxXNw3nYT+FqRFMGw3zOTEkfJAC3b30o7hZQ+VPqMdwhQ7fO0OBLt8j7AcH1 29ZN9WJcM67OdPHBG/76z4bi8s9SfdYliUaD9XYVp0tM1I6taqmGY5yC8oU5sTiUsz0jj1PcFiy /JdCuoZBYcXKp6bsSUGWdW174wd+O5nNikXYaEXGRwpNGpV6hukvj2Ixy8TdC82xPJ1o9bz+kiW NJ3hpkkTeYjSOsaNQ== X-Received: by 2002:a05:7300:7244:b0:2ea:e93a:ff9b with SMTP id 5a478bee46e88-2ffd5cbbb6emr603958eec.13.1778550301525; Mon, 11 May 2026 18:45:01 -0700 (PDT) Received: from localhost.localdomain ([50.231.3.67]) by smtp.gmail.com with ESMTPSA id 5a478bee46e88-2f888e4016asm15816499eec.28.2026.05.11.18.44.59 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Mon, 11 May 2026 18:45:00 -0700 (PDT) From: Shayaun Nejad To: Greg Kroah-Hartman Cc: linux-staging@lists.linux.dev, linux-wireless@vger.kernel.org, linux-kernel@vger.kernel.org, stable@vger.kernel.org, Shayaun Nejad Subject: [PATCH 1/2] staging: rtl8723bs: fix use-after-free in validate_80211w_mgmt after decryptor() Date: Mon, 11 May 2026 18:44:55 -0700 Message-ID: <0f4cbf05a7a594be4629ca4d7c108e6df1463321.1778550157.git.snejad123@gmail.com> X-Mailer: git-send-email 2.43.0 In-Reply-To: References: Precedence: bulk X-Mailing-List: linux-kernel@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 Content-Transfer-Encoding: quoted-printable Content-Type: text/plain; charset="utf-8" decryptor() can release precv_frame and return NULL when protected management frame decryption fails. validate_80211w_mgmt() still uses ptr and pattrib saved from that frame for two memcpy() calls before checking the returned frame pointer. Check the returned frame before any further access, then refresh ptr and pattrib from the returned frame. Fixes: 554c0a3abf21 ("staging: Add rtl8723bs sdio wifi driver") Cc: stable@vger.kernel.org Signed-off-by: Shayaun Nejad --- drivers/staging/rtl8723bs/core/rtw_recv.c | 9 +++++++-- 1 file changed, 7 insertions(+), 2 deletions(-) diff --git a/drivers/staging/rtl8723bs/core/rtw_recv.c b/drivers/staging/rt= l8723bs/core/rtw_recv.c index f78194d508..0e1d248d8f 100644 --- a/drivers/staging/rtl8723bs/core/rtw_recv.c +++ b/drivers/staging/rtl8723bs/core/rtw_recv.c @@ -1433,6 +1433,13 @@ static signed int validate_80211w_mgmt(struct adapte= r *adapter, union recv_frame if (!mgmt_DATA) goto validate_80211w_fail; precv_frame =3D decryptor(adapter, precv_frame); + if (!precv_frame) { + kfree(mgmt_DATA); + goto validate_80211w_fail; + } + + pattrib =3D &precv_frame->u.hdr.attrib; + ptr =3D precv_frame->u.hdr.rx_data; /* save actual management data frame body */ memcpy(mgmt_DATA, ptr + pattrib->hdrlen + pattrib->iv_len, data_len); /* overwrite the iv field */ @@ -1440,8 +1447,6 @@ static signed int validate_80211w_mgmt(struct adapter= *adapter, union recv_frame /* remove the iv and icv length */ pattrib->pkt_len =3D pattrib->pkt_len - pattrib->iv_len - pattrib->icv_= len; kfree(mgmt_DATA); - if (!precv_frame) - goto validate_80211w_fail; } else if (is_multicast_ether_addr(GetAddr1Ptr(ptr)) && (subtype =3D=3D WIFI_DEAUTH || subtype =3D=3D WIFI_DISASSOC)) { signed int BIP_ret =3D _SUCCESS; --=20 2.43.0 From nobody Fri Jun 12 23:46:32 2026 Received: from mail-dy1-f169.google.com (mail-dy1-f169.google.com [74.125.82.169]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id E5AD72E11D2 for ; Tue, 12 May 2026 01:45:04 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=74.125.82.169 ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1778550307; cv=none; b=tb2OoPI81UNzCa0RzHBF4G94yP+hjf837a0UVbV3lQSC9eXQbqaTIlNkM7vjfYjiOESQEJ9ThZlVOjSkgJ+FGpi0ZRtdjPbl0SdAwM53TDksgnJI7gym6FXKrmF9Xq5b8dFYznKUmcfbEGDPxcrbNIKacFlkdj5NlbNRr6gDoB0= ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1778550307; c=relaxed/simple; bh=KqTQRneBMfvDtD0NGh/qnie7L+jkNNCpExxYKyw+jhE=; h=From:To:Cc:Subject:Date:Message-ID:In-Reply-To:References: MIME-Version; b=P8/MWtggBONt/h5wrkECwYGFJBbzbpwbxXVtBkquu+BzmEFtTqXV9al9F6d65sEuu9y/Q537NVCC2Tmkurz8DfvkNgtnSp3Vf1Sn0qWWhM/BG7EATHA4WPkA9WME/b8LIqdf7vNZTZ2A3XzqoKdQI0X83lKHFfZPPiZqoiKQTqk= ARC-Authentication-Results: i=1; smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=gmail.com; spf=pass smtp.mailfrom=gmail.com; dkim=pass (2048-bit key) header.d=gmail.com header.i=@gmail.com header.b=BRMaQD+5; arc=none smtp.client-ip=74.125.82.169 Authentication-Results: smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=gmail.com Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=gmail.com Authentication-Results: smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=gmail.com header.i=@gmail.com header.b="BRMaQD+5" Received: by mail-dy1-f169.google.com with SMTP id 5a478bee46e88-2f0ad52830cso7289699eec.1 for ; Mon, 11 May 2026 18:45:04 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20251104; t=1778550303; x=1779155103; darn=vger.kernel.org; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:from:to:cc:subject:date :message-id:reply-to; bh=Yt10RUM2UXri9I9UIGCyRKsgv2xs4QwM0yEoyhATCiU=; b=BRMaQD+5wwXguex3EVGHXCScmPyYE/dProi+e8W9e4PQY6XHxEvBRQMSfusNSAO/G+ /msatXHKYPXaz3QvF8PgQxmjhuRo+FYgENGX87yydUCT3n2B2jTUVXHMpLEbbsJBKYHm qoDwi0L1j+u+nJN0hlYixzwqsw6NFM0ndpFhBZpNGWFwoZXcTSDsx63S4HY5UxSywxTL IFKRczMPZjGv908KDpuWU+uT+afmggQ8jXyYjkn4z+fxz/+PdYjcEiXl1g4Zk5aqpOq7 l1UHha39f97sGP5M/anaZ9L/W/LXmfAQLCFCanGxYBaLWgJ7jm4WnJMvzW2oQIdA+uoA sfVA== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20251104; t=1778550303; x=1779155103; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:x-gm-gg:x-gm-message-state:from :to:cc:subject:date:message-id:reply-to; bh=Yt10RUM2UXri9I9UIGCyRKsgv2xs4QwM0yEoyhATCiU=; b=KuPOTIUo4dUF0A9HTMPnQV9Lf5uJDdeTrm71uJXqU200CUpIz+LZsrBeMxkftAHKV9 aWmPMZf2nzvDAWCDM3KQDgRkRKvA38DW+ftK7pceulCJPFbsHzkCnNX56e4xfxO5pnYK x/815pkH2SktTSIAKIlcw6Yr5CXbPlXWH6HvuolAn06fmcvGalJFdIntfHDuNKa+dMWo BEsJNi6ZcmhG2nKOAYsG4ccO7bMsO+5Wlf/jdLPB4EwBNWnSH81znjFgKSlIwJGty48c TqMpkYSTGPJEcQQy5Qb8I603gP1+MxgPQiUuBQFpXnUq24pXl8UWK2jTKapFEi2yGqhE 9/1w== X-Forwarded-Encrypted: i=1; AFNElJ9vnslO4kwdrMS7CdT+IHufKRXv4Q4dkSsLs7lkvxpnQxw69ismmyCAqfUWffZL+xRA7lGNQdD+c4ELZyY=@vger.kernel.org X-Gm-Message-State: AOJu0Yzm1SkGu4RttJDGpoJcvI9N84IMtskNTWMfQxzLCBO6V6JLu7RT uvaLKcl1b6X59zjdjzQ9Ic6j3dPm0pgDsmd2Nr/wF8wKYekL8mMHh4ry X-Gm-Gg: Acq92OHGyBRsSKo6GiWvYufn8CbQFOQ2eMXlG1ZEtVSb1n9ajWhw2D7jrcueWqIIk5G CriM2XkYq/B9JiVZ+3WjN+F/vRaSspU6q0hH1Ck2aaLKJP16Kcm8HbLq4G6ZF3l79AX9i3wFyNy r0sMXJnnMbFHlcyeBzxrYYSj/4UKEmRY997mIOTvhIukuEiperqTIPUrkNRt/hqHU9bI283D2WZ 9i9fqSUkHJb19SMuO3dsnJiTq85Uw5SKZrBbjJf3Z0WTv19XBPHgIk0XuoUc3sjuvLjGec2sf1R zo7/JPHuekaZUQkD5EEPNopYu7niLvptAdDew/zfOHFwH0Gs2/Mg8ueqKTH92fkht924Mn82AF7 VFPmM50N08t9SKtCRy0K7jmCMadMFRd2qIOWERiBK02CEPQQZG+AlE1SGVGEmeA4JGQR/13rxUE 09LN0RQMo1vQtwBcpEGseVEcsk/uB3Z1Fm6njdsbNu4vFgIbGvIAYYvaNK0Ap913oXhlaii02UW fS5N8c= X-Received: by 2002:a05:7301:1f18:b0:2d2:c60d:4fe5 with SMTP id 5a478bee46e88-2fb4b92173amr5138362eec.6.1778550303413; Mon, 11 May 2026 18:45:03 -0700 (PDT) Received: from localhost.localdomain ([50.231.3.67]) by smtp.gmail.com with ESMTPSA id 5a478bee46e88-2f888e4016asm15816499eec.28.2026.05.11.18.45.01 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Mon, 11 May 2026 18:45:02 -0700 (PDT) From: Shayaun Nejad To: Greg Kroah-Hartman Cc: linux-staging@lists.linux.dev, linux-wireless@vger.kernel.org, linux-kernel@vger.kernel.org, stable@vger.kernel.org, Shayaun Nejad Subject: [PATCH 2/2] staging: rtl8723bs: bound SUPP_RATES IE length in rtw_check_beacon_data Date: Mon, 11 May 2026 18:44:56 -0700 Message-ID: X-Mailer: git-send-email 2.43.0 In-Reply-To: References: Precedence: bulk X-Mailing-List: linux-kernel@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 Content-Transfer-Encoding: quoted-printable Content-Type: text/plain; charset="utf-8" rtw_check_beacon_data() copies SUPP_RATES and EXT_SUPP_RATES IE payloads into a 16-byte support_rate[] buffer. The IE lengths are used directly, so oversized rate IEs can overflow the stack buffer. Clamp the supported rates copy and the combined extended supported rates copy to NDIS_802_11_LENGTH_RATES_EX. Fixes: 554c0a3abf21 ("staging: Add rtl8723bs sdio wifi driver") Cc: stable@vger.kernel.org Signed-off-by: Shayaun Nejad --- drivers/staging/rtl8723bs/core/rtw_ap.c | 6 +++++- 1 file changed, 5 insertions(+), 1 deletion(-) diff --git a/drivers/staging/rtl8723bs/core/rtw_ap.c b/drivers/staging/rtl8= 723bs/core/rtw_ap.c index 4b40124110..363ecb02b5 100644 --- a/drivers/staging/rtl8723bs/core/rtw_ap.c +++ b/drivers/staging/rtl8723bs/core/rtw_ap.c @@ -873,6 +873,7 @@ int rtw_check_beacon_data(struct adapter *padapter, u8 = *pbuf, int len) &ie_len, (pbss_network->ie_length - _BEACON_IE_OFFSET_)); if (p) { + ie_len =3D min_t(uint, ie_len, NDIS_802_11_LENGTH_RATES_EX); memcpy(support_rate, p + 2, ie_len); support_rate_num =3D ie_len; } @@ -882,8 +883,11 @@ int rtw_check_beacon_data(struct adapter *padapter, u8= *pbuf, int len) WLAN_EID_EXT_SUPP_RATES, &ie_len, pbss_network->ie_length - _BEACON_IE_OFFSET_); - if (p) + if (p && support_rate_num < NDIS_802_11_LENGTH_RATES_EX) { + ie_len =3D min_t(uint, ie_len, + NDIS_802_11_LENGTH_RATES_EX - support_rate_num); memcpy(support_rate + support_rate_num, p + 2, ie_len); + } =20 network_type =3D rtw_check_network_type(support_rate, channel); =20 --=20 2.43.0