From: Dan Carpenter <error27@gmail.com>
To: Alexandru Hossu <hossu.alexandru@gmail.com>
Cc: gregkh@linuxfoundation.org, linux-staging@lists.linux.dev,
linux-kernel@vger.kernel.org, dan.carpenter@linaro.org,
hansg@kernel.org, stable@vger.kernel.org
Subject: Re: [PATCH] staging: rtl8723bs: fix heap overflow in OnAuthClient shared key path
Date: Tue, 14 Apr 2026 09:19:47 +0300 [thread overview]
Message-ID: <ad3cgzGxPVYLiJbe@stanley.mountain> (raw)
In-Reply-To: <20260413202824.740653-1-hossu.alexandru@gmail.com>
On Mon, Apr 13, 2026 at 10:28:24PM +0200, Alexandru Hossu wrote:
> rtw_get_ie() returns the raw IE length from the received frame, which
> can be up to 255. This length is used directly in memcpy() into
> chg_txt[128] with no bounds check, allowing a heap overflow of up to
> 127 bytes when a rogue AP sends an Auth seq=2 frame with a Challenge
> Text IE longer than 128 bytes.
>
> IEEE 802.11 mandates the Challenge Text element carries exactly 128
> bytes of challenge data. Reject any element whose length field does not
> match sizeof(pmlmeinfo->chg_txt) (128).
>
> Fixes: 554c0a3abf21 ("staging: Add rtl8723bs sdio wifi driver")
> Cc: stable@vger.kernel.org
> Signed-off-by: Alexandru Hossu <hossu.alexandru@gmail.com>
Looks good.
Reviewed-by: Dan Carpenter <error27@gmail.com>
> ---
> drivers/staging/rtl8723bs/core/rtw_mlme_ext.c | 2 +-
> 1 file changed, 1 insertion(+), 1 deletion(-)
>
> diff --git a/drivers/staging/rtl8723bs/core/rtw_mlme_ext.c b/drivers/staging/rtl8723bs/core/rtw_mlme_ext.c
> index 5f00fe282d1b..90f27665667a 100644
> --- a/drivers/staging/rtl8723bs/core/rtw_mlme_ext.c
> +++ b/drivers/staging/rtl8723bs/core/rtw_mlme_ext.c
> @@ -891,7 +891,7 @@ unsigned int OnAuthClient(struct adapter *padapter, union recv_frame *precv_fram
> p = rtw_get_ie(pframe + WLAN_HDR_A3_LEN + _AUTH_IE_OFFSET_, WLAN_EID_CHALLENGE, (int *)&len,
^^^^^^
Do we know that pframe has enough data?
KTODO: check if pframe is large enough in OnAuthClient()
regards,
dan carpenter
> pkt_len - WLAN_HDR_A3_LEN - _AUTH_IE_OFFSET_);
>
> - if (!p)
> + if (!p || len != sizeof(pmlmeinfo->chg_txt))
> goto authclnt_fail;
next prev parent reply other threads:[~2026-04-14 6:19 UTC|newest]
Thread overview: 8+ messages / expand[flat|nested] mbox.gz Atom feed top
2026-04-13 20:28 [PATCH] staging: rtl8723bs: fix heap overflow in OnAuthClient shared key path Alexandru Hossu
2026-04-14 6:19 ` Dan Carpenter [this message]
2026-04-14 6:22 ` Alexandru Hossu
2026-04-14 10:08 ` [PATCH] staging: rtl8723bs: fix frame length underflow in OnAuthClient Alexandru Hossu
2026-04-14 12:48 ` Dan Carpenter
2026-04-14 14:28 ` Alexandru Hossu
2026-04-14 14:53 ` [PATCH v2] staging: rtl8723bs: fix missing frame length checks " Alexandru Hossu
2026-04-14 17:08 ` Greg KH
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=ad3cgzGxPVYLiJbe@stanley.mountain \
--to=error27@gmail.com \
--cc=dan.carpenter@linaro.org \
--cc=gregkh@linuxfoundation.org \
--cc=hansg@kernel.org \
--cc=hossu.alexandru@gmail.com \
--cc=linux-kernel@vger.kernel.org \
--cc=linux-staging@lists.linux.dev \
--cc=stable@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.