From: Dan Carpenter <error27@gmail.com>
To: Alexandru Hossu <hossu.alexandru@gmail.com>
Cc: gregkh@linuxfoundation.org, linux-staging@lists.linux.dev
Subject: Re: [PATCH 3/3] staging: rtl8723bs: fix heap buffer overflow in rtw_cfg80211_set_wpa_ie()
Date: Sat, 25 Apr 2026 15:10:58 +0300 [thread overview]
Message-ID: <aeyvUlS9bbEkSGzr@stanley.mountain> (raw)
In-Reply-To: <20260424151932.3734611-4-hossu.alexandru@gmail.com>
On Fri, Apr 24, 2026 at 05:19:32PM +0200, Alexandru Hossu wrote:
> supplicant_ie is a 256-byte array in struct security_priv. The WPA and
> WPA2 IE copy paths use:
>
> memcpy(padapter->securitypriv.supplicant_ie, &pwpa[0], wpa_ielen + 2);
>
> where wpa_ielen is the raw IE length field (u8, 0-255). When a local user
> supplies a connect request via nl80211 with a crafted WPA IE of length 255,
> wpa_ielen + 2 equals 257, overflowing the 256-byte buffer by one byte into
> the adjacent last_mic_err_time field.
>
> rtw_parse_wpa_ie() does not prevent this: its length consistency check
> compares *(wpa_ie+1) against (u8)(wpa_ie_len-2), which is (u8)(255) == 255
> when wpa_ie_len = 257, so the check passes silently.
>
> Add explicit bounds checks for both the WPA and WPA2 paths before the
> memcpy, rejecting any IE whose total size (wpa_ielen + 2) exceeds the
> supplicant_ie buffer.
>
> Signed-off-by: Alexandru Hossu <hossu.alexandru@gmail.com>
> ---
> drivers/staging/rtl8723bs/os_dep/ioctl_cfg80211.c | 8 ++++++++
> 1 file changed, 8 insertions(+)
>
> diff --git a/drivers/staging/rtl8723bs/os_dep/ioctl_cfg80211.c b/drivers/staging/rtl8723bs/os_dep/ioctl_cfg80211.c
> index fd3bae31b0ed..e7ba5ccfa03c 100644
> --- a/drivers/staging/rtl8723bs/os_dep/ioctl_cfg80211.c
> +++ b/drivers/staging/rtl8723bs/os_dep/ioctl_cfg80211.c
> @@ -1445,6 +1445,10 @@ static int rtw_cfg80211_set_wpa_ie(struct adapter *padapter, u8 *pie, size_t iel
>
> pwpa = rtw_get_wpa_ie(buf, &wpa_ielen, ielen);
The rtw_get_wpa_ie() function is pretty suspect... :P
KTODO: Fix the buffer overflows in rtw_get_wpa_ie()
Otherwise this patch looks like it fixes a real bug and doesn't introduce
any regressions...
regards,
dan carpenter
next prev parent reply other threads:[~2026-04-25 12:11 UTC|newest]
Thread overview: 7+ messages / expand[flat|nested] mbox.gz Atom feed top
2026-04-24 15:19 [PATCH 0/3] staging: rtl8723bs: fix OOB reads and heap overflow in IE parsing Alexandru Hossu
2026-04-24 15:19 ` [PATCH 1/3] staging: rtl8723bs: fix OOB read in update_beacon_info() IE loop Alexandru Hossu
2026-04-25 11:42 ` Dan Carpenter
2026-04-24 15:19 ` [PATCH 2/3] staging: rtl8723bs: fix OOB reads in IE loops in issue_assocreq() and join_cmd_hdl() Alexandru Hossu
2026-04-24 15:19 ` [PATCH 3/3] staging: rtl8723bs: fix heap buffer overflow in rtw_cfg80211_set_wpa_ie() Alexandru Hossu
2026-04-25 12:10 ` Dan Carpenter [this message]
2026-04-24 16:05 ` [PATCH 0/3] staging: rtl8723bs: fix OOB reads and heap overflow in IE parsing Luka Gejak
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=aeyvUlS9bbEkSGzr@stanley.mountain \
--to=error27@gmail.com \
--cc=gregkh@linuxfoundation.org \
--cc=hossu.alexandru@gmail.com \
--cc=linux-staging@lists.linux.dev \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.