All of lore.kernel.org
 help / color / mirror / Atom feed
From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
To: Panagiotis Petrakopoulos <npetrakopoulos2003@gmail.com>
Cc: linux-staging@lists.linux.dev,
	Hans de Goede <hdegoede@redhat.com>,
	Bastien Nocera <hadess@hadess.net>,
	Larry Finger <Larry.Finger@lwfinger.net>,
	Jes Sorensen <jes.sorensen@gmail.com>,
	Manuel Ebner <manuelebner@mailbox.org>,
	stable@vger.kernel.org
Subject: Re: [PATCH v2] staging: rtl8723bs: fix missing shared-key auth challenge length check
Date: Fri, 17 Jul 2026 14:21:47 +0200	[thread overview]
Message-ID: <2026071726-crust-capped-9011@gregkh> (raw)
In-Reply-To: <20260708104252.144101-1-npetrakopoulos2003@gmail.com>

On Wed, Jul 08, 2026 at 01:42:52PM +0300, Panagiotis Petrakopoulos wrote:
> The WEP shared-key authentication handlers use the challenge-text
> element's length. This text and its length are attacker-controlled.
> The handlers do not check the length against the fixed 128-byte
> chg_txt buffer.
> 
> In OnAuthClient() the length from rtw_get_ie() can be up to 255 bytes.
> It is used to perform memcpy() into the 128-byte pmlmeinfo->chg_txt.
> A malicious AP sending a malformed WLAN_EID_CHALLENGE element can
> overflow/underfill chg_txt by up to 127 bytes. This is reachable over
> the air, before association, during shared-key authentication. In the
> case of an overflow, the driver can write out of bounds. In the case
> of an underfill, the driver can echo stale buffer memory. In OnAuth() 
> a similar issue is observed. The driver compares a full 128 bytes
> regardless of the element's length, reading past a shorter element.
> 
> The challenge text is defined to be exactly 128 octets, which is
> already provided as the WLAN_AUTH_CHALLENGE_LEN define; require the
> element to be exactly that length in both handlers.
> 
> Fixes: 554c0a3abf21 ("staging: Add rtl8723bs sdio wifi driver")
> Cc: stable@vger.kernel.org
> Signed-off-by: Panagiotis Petrakopoulos <npetrakopoulos2003@gmail.com>
> Reviewed-by: Manuel Ebner <manuelebner@mailbox.org>
> ---
> v2:
> improved patch description for clarity. no code changes.
> 
> testing:
> Compile-tested only; I do not have RTL8723BS hardware to test the
> shared-key authentication path at runtime. The change only rejects
> challenge elements whose length differs from the spec-mandated 128
> bytes, so conforming peers are unaffected.
> 
>  drivers/staging/rtl8723bs/core/rtw_mlme_ext.c | 4 ++--
>  1 file changed, 2 insertions(+), 2 deletions(-)
> 
> diff --git a/drivers/staging/rtl8723bs/core/rtw_mlme_ext.c b/drivers/staging/rtl8723bs/core/rtw_mlme_ext.c
> index a86d6f97cf02..13634d4e83d1 100644
> --- a/drivers/staging/rtl8723bs/core/rtw_mlme_ext.c
> +++ b/drivers/staging/rtl8723bs/core/rtw_mlme_ext.c
> @@ -787,7 +787,7 @@ unsigned int OnAuth(struct adapter *padapter, union recv_frame *precv_frame)
>  			p = rtw_get_ie(pframe + WLAN_HDR_A3_LEN + 4 + _AUTH_IE_OFFSET_, WLAN_EID_CHALLENGE, (int *)&ie_len,
>  					len - WLAN_HDR_A3_LEN - _AUTH_IE_OFFSET_ - 4);
>  
> -			if (!p || ie_len <= 0) {
> +			if (!p || ie_len != WLAN_AUTH_CHALLENGE_LEN) {
>  				status = WLAN_STATUS_CHALLENGE_FAIL;
>  				goto auth_fail;
>  			}
> @@ -873,7 +873,7 @@ unsigned int OnAuthClient(struct adapter *padapter, union recv_frame *precv_fram
>  			p = rtw_get_ie(pframe + WLAN_HDR_A3_LEN + _AUTH_IE_OFFSET_, WLAN_EID_CHALLENGE, (int *)&len,
>  				pkt_len - WLAN_HDR_A3_LEN - _AUTH_IE_OFFSET_);
>  
> -			if (!p)
> +			if (!p || len != WLAN_AUTH_CHALLENGE_LEN)
>  				goto authclnt_fail;
>  
>  			memcpy(pmlmeinfo->chg_txt, p + 2, len);
> -- 
> 2.55.0
> 

This does not apply against my staging-linus branch.  Can you rebase and
resend?

thanks,

greg k-h

      reply	other threads:[~2026-07-17 12:21 UTC|newest]

Thread overview: 2+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2026-07-08 10:42 [PATCH v2] staging: rtl8723bs: fix missing shared-key auth challenge length check Panagiotis Petrakopoulos
2026-07-17 12:21 ` Greg Kroah-Hartman [this message]

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=2026071726-crust-capped-9011@gregkh \
    --to=gregkh@linuxfoundation.org \
    --cc=Larry.Finger@lwfinger.net \
    --cc=hadess@hadess.net \
    --cc=hdegoede@redhat.com \
    --cc=jes.sorensen@gmail.com \
    --cc=linux-staging@lists.linux.dev \
    --cc=manuelebner@mailbox.org \
    --cc=npetrakopoulos2003@gmail.com \
    --cc=stable@vger.kernel.org \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.