From: Dan Carpenter <error27@gmail.com>
To: Delene Tchio Romuald <delenetchior1@gmail.com>
Cc: gregkh@linuxfoundation.org, dan.carpenter@linaro.org,
luka.gejak@linux.dev, hansg@kernel.org,
linux-staging@lists.linux.dev, linux-kernel@vger.kernel.org,
stable@vger.kernel.org
Subject: Re: [PATCH v4 5/5] staging: rtl8723bs: fix negative length in WEP decryption
Date: Thu, 16 Apr 2026 19:46:23 +0300 [thread overview]
Message-ID: <aeESXxJwPm95vcWk@stanley.mountain> (raw)
In-Reply-To: <20260415185501.440492-6-delenetchior1@gmail.com>
On Wed, Apr 15, 2026 at 07:55:01PM +0100, Delene Tchio Romuald wrote:
> In rtw_wep_decrypt(), the payload length is computed as:
>
> length = frame->len - prxattrib->hdrlen - prxattrib->iv_len;
>
> All operands are unsigned. If the frame is shorter than the sum of
> the header length and the IV length, this subtraction wraps around
> and length becomes a huge unsigned value. That value is then used
> to drive an arc4_crypt() call that reads and writes past the end
> of the receive buffer.
>
> An attacker within WiFi radio range can exploit this by sending a
> crafted short WEP-encrypted frame. No authentication is required.
>
> Validate that the frame is large enough to contain a WEP payload
> before computing length.
>
> Found by reviewing length arithmetic in the WEP decrypt path.
> Not tested on hardware.
>
> Fixes: 554c0a3abf216 ("staging: Add rtl8723bs sdio wifi driver")
> Cc: stable@vger.kernel.org
> Reviewed-by: Luka Gejak <luka.gejak@linux.dev>
> Signed-off-by: Delene Tchio Romuald <delenetchior1@gmail.com>
> ---
> v4: add Fixes: tag and Cc: stable (Dan Carpenter); carry Luka Gejak's
> Reviewed-by.
> v3: rebased on staging-next; sent as numbered series with proper
> Cc from get_maintainer.pl.
> v2: rebased on staging-next (v1 was based on v7.0-rc6 and did not
> apply).
>
> drivers/staging/rtl8723bs/core/rtw_security.c | 6 ++++++
> 1 file changed, 6 insertions(+)
>
> diff --git a/drivers/staging/rtl8723bs/core/rtw_security.c b/drivers/staging/rtl8723bs/core/rtw_security.c
> index a00504ff29109..f3bc2240749a4 100644
> --- a/drivers/staging/rtl8723bs/core/rtw_security.c
> +++ b/drivers/staging/rtl8723bs/core/rtw_security.c
> @@ -113,6 +113,12 @@ void rtw_wep_decrypt(struct adapter *padapter, u8 *precvframe)
> memcpy(&wepkey[0], iv, 3);
> /* memcpy(&wepkey[3], &psecuritypriv->dot11DefKey[psecuritypriv->dot11PrivacyKeyIndex].skey[0], keylength); */
> memcpy(&wepkey[3], &psecuritypriv->dot11DefKey[keyindex].skey[0], keylength);
> +
> + /* Ensure the frame is long enough for WEP decryption */
> + if (((union recv_frame *)precvframe)->u.hdr.len <=
> + prxattrib->hdrlen + prxattrib->iv_len)
> + return;
LGTM. Thanks!
regards,
dan carpenter
prev parent reply other threads:[~2026-04-16 16:46 UTC|newest]
Thread overview: 11+ messages / expand[flat|nested] mbox.gz Atom feed top
2026-04-15 18:54 [PATCH v4 0/5] staging: rtl8723bs: fix multiple security vulnerabilities Delene Tchio Romuald
2026-04-15 18:54 ` [PATCH v4 1/5] staging: rtl8723bs: fix heap buffer overflow in recvframe_defrag() Delene Tchio Romuald
2026-04-15 19:56 ` Dan Carpenter
2026-04-15 18:54 ` [PATCH v4 2/5] staging: rtl8723bs: fix integer underflow in TKIP MIC verification Delene Tchio Romuald
2026-04-15 18:54 ` [PATCH v4 3/5] staging: rtl8723bs: fix out-of-bounds read in portctrl() Delene Tchio Romuald
2026-04-16 16:36 ` Dan Carpenter
2026-04-16 17:44 ` Luka Gejak
2026-04-15 18:55 ` [PATCH v4 4/5] staging: rtl8723bs: fix out-of-bounds reads in IE parsing functions Delene Tchio Romuald
2026-04-16 16:44 ` Dan Carpenter
2026-04-15 18:55 ` [PATCH v4 5/5] staging: rtl8723bs: fix negative length in WEP decryption Delene Tchio Romuald
2026-04-16 16:46 ` Dan Carpenter [this message]
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=aeESXxJwPm95vcWk@stanley.mountain \
--to=error27@gmail.com \
--cc=dan.carpenter@linaro.org \
--cc=delenetchior1@gmail.com \
--cc=gregkh@linuxfoundation.org \
--cc=hansg@kernel.org \
--cc=linux-kernel@vger.kernel.org \
--cc=linux-staging@lists.linux.dev \
--cc=luka.gejak@linux.dev \
--cc=stable@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.