From mboxrd@z Thu Jan 1 00:00:00 1970 Received: from smtp.kernel.org (aws-us-west-2-korg-mail-alma10-1.taild15c8.ts.net [100.103.45.18]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id 432CD3F822B; Thu, 16 Jul 2026 14:05:42 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=100.103.45.18 ARC-Seal:i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1784210743; cv=none; b=U4VqxX2g1XT2PJtqD+p01vFkmaegj4B8D41L6rSWXbRSd5ClOD9XC774NvUXJ5Yi90ilp610QSmPxmeePMNAaqbnVUEZez7LnMnKdI5Q8HzaJmtDYmBSgE/e73BMnR9NVoB/ajVN+0zC/FBm6ShhwaZWI74PWvHiB/Hoj4GUJDU= ARC-Message-Signature:i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1784210743; c=relaxed/simple; bh=D/g6BtDDPQcAouypePMq0kI8mCXIBYzDvQ/8Sz3ANsg=; h=From:To:Cc:Subject:Date:Message-ID:In-Reply-To:References: MIME-Version; b=UCFvqxTDflOzCFDoK1Vhp8L06g8QmKX5RIkp/l77VUupbLRdqnRpR3WEBKhn2oglP5tjIY89TXGFnQ6cxbsJIuffumtvS6EdR9XDm6xPZMkya/oRkTZTG7miWQt24B2LdoJjH1qnymB222oRT/JROfE/Jnnm2b4On90dKERLhxs= ARC-Authentication-Results:i=1; smtp.subspace.kernel.org; dkim=pass (1024-bit key) header.d=linuxfoundation.org header.i=@linuxfoundation.org header.b=oFBoN4cQ; arc=none smtp.client-ip=100.103.45.18 Authentication-Results: smtp.subspace.kernel.org; dkim=pass (1024-bit key) header.d=linuxfoundation.org header.i=@linuxfoundation.org header.b="oFBoN4cQ" Received: by smtp.kernel.org (Postfix) with ESMTPSA id A739A1F000E9; Thu, 16 Jul 2026 14:05:41 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=linuxfoundation.org; s=korg; t=1784210742; bh=rYzMzmsZq6zrl1UB4S3ffkVWETi1w87di+gy3Fpz2Is=; h=From:To:Cc:Subject:Date:In-Reply-To:References; b=oFBoN4cQjG72GTsjouexT14H5jYuhmJKm3z1413h6x1Z3qXK1lF/xw5mKeZHbh0tr IF5EV5qreh5ezwpkKw8BqdxvsBfXYVnvGVE18fWI4IMG3U6BGgnPnql5mxY7KQ/AlA wsK1FTW+L9nCqQ1lVS0xu0DHweOYAWKmREQWt4sc= From: Greg Kroah-Hartman To: stable@vger.kernel.org Cc: Greg Kroah-Hartman , patches@lists.linux.dev, stable , Alexandru Hossu Subject: [PATCH 6.18 163/480] staging: rtl8723bs: fix WEP length underflow and OOB read in OnAuth() Date: Thu, 16 Jul 2026 15:28:30 +0200 Message-ID: <20260716133048.236209740@linuxfoundation.org> X-Mailer: git-send-email 2.55.0 In-Reply-To: <20260716133044.672218725@linuxfoundation.org> References: <20260716133044.672218725@linuxfoundation.org> User-Agent: quilt/0.69 X-stable: review X-Patchwork-Hint: ignore Precedence: bulk X-Mailing-List: patches@lists.linux.dev List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 Content-Transfer-Encoding: 8bit 6.18-stable review patch. If anyone has any objections, please let me know. ------------------ From: Alexandru Hossu commit a1fc19d61f661d47204f095b593de507884849f7 upstream. OnAuth() has two bugs in the shared-key authentication path. When the Privacy bit is set, rtw_wep_decrypt() is called without verifying that the frame is long enough to contain a valid WEP IV and ICV. Inside rtw_wep_decrypt(), length is computed as: length = len - WLAN_HDR_A3_LEN - iv_len and then passed as (length - 4) to crc32_le(). If len is less than WLAN_HDR_A3_LEN + iv_len + icv_len (32 bytes), length - 4 is negative and, after the implicit cast to size_t, causes crc32_le() to read far beyond the frame buffer. Add a minimum length check before accessing the IV field and calling the decryption path. When processing a seq=3 response, rtw_get_ie() stores the Challenge Text IE length in ie_len, but the subsequent memcmp() always reads 128 bytes regardless of ie_len. IEEE 802.11 mandates a challenge text of exactly 128 bytes; reject any IE whose length field differs, matching the check already applied to OnAuthClient(). Fixes: 554c0a3abf21 ("staging: Add rtl8723bs sdio wifi driver") Cc: stable Signed-off-by: Alexandru Hossu Link: https://patch.msgid.link/20260522004605.1039209-1-hossu.alexandru@gmail.com Signed-off-by: Greg Kroah-Hartman --- drivers/staging/rtl8723bs/core/rtw_mlme_ext.c | 8 +++++++- 1 file changed, 7 insertions(+), 1 deletion(-) --- a/drivers/staging/rtl8723bs/core/rtw_mlme_ext.c +++ b/drivers/staging/rtl8723bs/core/rtw_mlme_ext.c @@ -703,6 +703,9 @@ unsigned int OnAuth(struct adapter *pada if ((pmlmeinfo->state&0x03) != WIFI_FW_AP_STATE) return _FAIL; + if (len < WLAN_HDR_A3_LEN) + return _FAIL; + sa = GetAddr2Ptr(pframe); auth_mode = psecuritypriv->dot11AuthAlgrthm; @@ -714,6 +717,9 @@ unsigned int OnAuth(struct adapter *pada prxattrib->hdrlen = WLAN_HDR_A3_LEN; prxattrib->encrypt = _WEP40_; + if (len < WLAN_HDR_A3_LEN + 8) + return _FAIL; + iv = pframe+prxattrib->hdrlen; prxattrib->key_index = ((iv[3]>>6)&0x3); @@ -818,7 +824,7 @@ unsigned int OnAuth(struct adapter *pada p = rtw_get_ie(pframe + WLAN_HDR_A3_LEN + 4 + _AUTH_IE_OFFSET_, WLAN_EID_CHALLENGE, (int *)&ie_len, len - WLAN_HDR_A3_LEN - _AUTH_IE_OFFSET_ - 4); - if (!p || ie_len <= 0) { + if (!p || ie_len != 128) { status = WLAN_STATUS_CHALLENGE_FAIL; goto auth_fail; }