From: Shayaun Nejad <snejad123@gmail.com>
To: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Cc: linux-staging@lists.linux.dev, linux-wireless@vger.kernel.org,
linux-kernel@vger.kernel.org, stable@vger.kernel.org,
Shayaun Nejad <snejad123@gmail.com>
Subject: [PATCH 0/2] staging: rtl8723bs: fix two remote frame-handling bugs
Date: Mon, 11 May 2026 18:44:54 -0700 [thread overview]
Message-ID: <cover.1778550157.git.snejad123@gmail.com> (raw)
Fix two rtl8723bs receive-side bugs reachable while handling remote
802.11 management frames.
The first patch fixes a use-after-free in validate_80211w_mgmt(),
where decryptor() can release the receive frame and return NULL before
the caller reuses cached pointers into that frame.
The second patch bounds the combined SUPP_RATES and EXT_SUPP_RATES IE
lengths copied from beacon/probe response data into the 16-byte
support_rate[] stack buffer in rtw_check_beacon_data().
Both issues were found by Kuzushi + deep-audit (Sonnet 4.6) and
manually verified against mainline.
Shayaun Nejad (2):
staging: rtl8723bs: fix use-after-free in validate_80211w_mgmt after
decryptor()
staging: rtl8723bs: bound SUPP_RATES IE length in
rtw_check_beacon_data
drivers/staging/rtl8723bs/core/rtw_ap.c | 6 +++++-
drivers/staging/rtl8723bs/core/rtw_recv.c | 9 +++++++--
2 files changed, 12 insertions(+), 3 deletions(-)
--
2.43.0
next reply other threads:[~2026-05-12 1:45 UTC|newest]
Thread overview: 4+ messages / expand[flat|nested] mbox.gz Atom feed top
2026-05-12 1:44 Shayaun Nejad [this message]
2026-05-12 1:44 ` [PATCH 1/2] staging: rtl8723bs: fix use-after-free in validate_80211w_mgmt after decryptor() Shayaun Nejad
2026-05-12 1:44 ` [PATCH 2/2] staging: rtl8723bs: bound SUPP_RATES IE length in rtw_check_beacon_data Shayaun Nejad
2026-05-12 7:37 ` Dan Carpenter
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=cover.1778550157.git.snejad123@gmail.com \
--to=snejad123@gmail.com \
--cc=gregkh@linuxfoundation.org \
--cc=linux-kernel@vger.kernel.org \
--cc=linux-staging@lists.linux.dev \
--cc=linux-wireless@vger.kernel.org \
--cc=stable@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.