From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
To: stable@vger.kernel.org
Cc: Greg Kroah-Hartman <gregkh@linuxfoundation.org>,
patches@lists.linux.dev, Navaneeth K <knavaneeth786@gmail.com>,
stable <stable@kernel.org>
Subject: [PATCH 6.17 59/60] staging: rtl8723bs: fix stack buffer overflow in OnAssocReq IE parsing
Date: Wed, 10 Dec 2025 16:30:29 +0900 [thread overview]
Message-ID: <20251210072949.334782839@linuxfoundation.org> (raw)
In-Reply-To: <20251210072947.850479903@linuxfoundation.org>
6.17-stable review patch. If anyone has any objections, please let me know.
------------------
From: Navaneeth K <knavaneeth786@gmail.com>
commit 6ef0e1c10455927867cac8f0ed6b49f328f8cf95 upstream.
The Supported Rates IE length from an incoming Association Request frame
was used directly as the memcpy() length when copying into a fixed-size
16-byte stack buffer (supportRate). A malicious station can advertise an
IE length larger than 16 bytes, causing a stack buffer overflow.
Clamp ie_len to the buffer size before copying the Supported Rates IE,
and correct the bounds check when merging Extended Supported Rates to
prevent a second potential overflow.
This prevents kernel stack corruption triggered by malformed association
requests.
Signed-off-by: Navaneeth K <knavaneeth786@gmail.com>
Cc: stable <stable@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/staging/rtl8723bs/core/rtw_mlme_ext.c | 5 ++++-
1 file changed, 4 insertions(+), 1 deletion(-)
--- a/drivers/staging/rtl8723bs/core/rtw_mlme_ext.c
+++ b/drivers/staging/rtl8723bs/core/rtw_mlme_ext.c
@@ -1033,6 +1033,9 @@ unsigned int OnAssocReq(struct adapter *
status = WLAN_STATUS_CHALLENGE_FAIL;
goto OnAssocReqFail;
} else {
+ if (ie_len > sizeof(supportRate))
+ ie_len = sizeof(supportRate);
+
memcpy(supportRate, p+2, ie_len);
supportRateNum = ie_len;
@@ -1040,7 +1043,7 @@ unsigned int OnAssocReq(struct adapter *
pkt_len - WLAN_HDR_A3_LEN - ie_offset);
if (p) {
- if (supportRateNum <= sizeof(supportRate)) {
+ if (supportRateNum + ie_len <= sizeof(supportRate)) {
memcpy(supportRate+supportRateNum, p+2, ie_len);
supportRateNum += ie_len;
}
next prev parent reply other threads:[~2025-12-10 7:35 UTC|newest]
Thread overview: 142+ messages / expand[flat|nested] mbox.gz Atom feed top
2025-12-10 7:29 [PATCH 6.17 00/60] 6.17.12-rc1 review Greg Kroah-Hartman
2025-12-10 7:29 ` [PATCH 6.17 01/60] Documentation: process: Also mention Sasha Levin as stable tree maintainer Greg Kroah-Hartman
2025-12-10 7:29 ` [PATCH 6.17 02/60] jbd2: avoid bug_on in jbd2_journal_get_create_access() when file system corrupted Greg Kroah-Hartman
2025-12-10 7:29 ` [PATCH 6.17 03/60] ext4: refresh inline data size before write operations Greg Kroah-Hartman
2025-12-10 7:29 ` [PATCH 6.17 04/60] ksmbd: ipc: fix use-after-free in ipc_msg_send_request Greg Kroah-Hartman
2025-12-10 7:29 ` [PATCH 6.17 05/60] locking/spinlock/debug: Fix data-race in do_raw_write_lock Greg Kroah-Hartman
2025-12-10 7:29 ` [PATCH 6.17 06/60] crypto: zstd - fix double-free in per-CPU stream cleanup Greg Kroah-Hartman
2025-12-10 7:29 ` [PATCH 6.17 07/60] ext4: add i_data_sem protection in ext4_destroy_inline_data_nolock() Greg Kroah-Hartman
2025-12-10 7:29 ` [PATCH 6.17 08/60] comedi: pcl818: fix null-ptr-deref in pcl818_ai_cancel() Greg Kroah-Hartman
2025-12-10 7:29 ` [PATCH 6.17 09/60] KVM: SVM: Dont skip unrelated instruction if INT3/INTO is replaced Greg Kroah-Hartman
2025-12-10 7:29 ` [PATCH 6.17 10/60] USB: serial: option: add Foxconn T99W760 Greg Kroah-Hartman
2025-12-10 7:29 ` [PATCH 6.17 11/60] USB: serial: option: add Telit Cinterion FE910C04 new compositions Greg Kroah-Hartman
2025-12-10 7:29 ` [PATCH 6.17 12/60] USB: serial: option: move Telit 0x10c7 composition in the right place Greg Kroah-Hartman
2025-12-10 7:29 ` [PATCH 6.17 13/60] USB: serial: ftdi_sio: match on interface number for jtag Greg Kroah-Hartman
2025-12-10 7:29 ` [PATCH 6.17 14/60] serial: add support of CPCI cards Greg Kroah-Hartman
2025-12-10 7:29 ` [PATCH 6.17 15/60] dt-bindings: serial: rsci: Drop "uart-has-rtscts: false" Greg Kroah-Hartman
2025-12-10 7:29 ` [PATCH 6.17 16/60] serial: sh-sci: Fix deadlock during RSCI FIFO overrun error Greg Kroah-Hartman
2025-12-10 7:29 ` [PATCH 6.17 17/60] USB: serial: belkin_sa: fix TIOCMBIS and TIOCMBIC Greg Kroah-Hartman
2025-12-10 7:29 ` [PATCH 6.17 18/60] USB: serial: kobil_sct: " Greg Kroah-Hartman
2025-12-10 7:29 ` [PATCH 6.17 19/60] ftrace: bpf: Fix IPMODIFY + DIRECT in modify_ftrace_direct() Greg Kroah-Hartman
2025-12-10 7:29 ` [PATCH 6.17 20/60] spi: xilinx: increase number of retries before declaring stall Greg Kroah-Hartman
2025-12-10 7:29 ` [PATCH 6.17 21/60] spi: imx: keep dma request disabled before dma transfer setup Greg Kroah-Hartman
2025-12-10 7:29 ` [PATCH 6.17 22/60] ACPI: MRRM: Fix memory leaks and improve error handling Greg Kroah-Hartman
2025-12-10 7:29 ` [PATCH 6.17 23/60] drm/vmwgfx: Use kref in vmw_bo_dirty Greg Kroah-Hartman
2025-12-10 7:29 ` [PATCH 6.17 24/60] arm64: Reject modules with internal alternative callbacks Greg Kroah-Hartman
2025-12-10 7:29 ` [PATCH 6.17 25/60] ALSA: hda/tas2781: Add new quirk for HP new projects Greg Kroah-Hartman
2025-12-10 7:29 ` [PATCH 6.17 26/60] Bluetooth: btrtl: Avoid loading the config file on security chips Greg Kroah-Hartman
2025-12-10 7:29 ` [PATCH 6.17 27/60] ASoC: SDCA: bug fix while parsing mipi-sdca-control-cn-list Greg Kroah-Hartman
2025-12-10 7:29 ` [PATCH 6.17 28/60] smb: fix invalid username check in smb3_fs_context_parse_param() Greg Kroah-Hartman
2025-12-10 7:29 ` [PATCH 6.17 29/60] drm/amdkfd: Fix GPU mappings for APU after prefetch Greg Kroah-Hartman
2025-12-10 7:30 ` [PATCH 6.17 31/60] HID: lenovo: fixup Lenovo Yoga Slim 7x Keyboard rdesc Greg Kroah-Hartman
2025-12-10 7:30 ` [PATCH 6.17 32/60] bfs: Reconstruct file type when loading from disk Greg Kroah-Hartman
2025-12-10 7:30 ` [PATCH 6.17 33/60] HID: hid-input: Extend Elan ignore battery quirk to USB Greg Kroah-Hartman
2025-12-10 7:30 ` [PATCH 6.17 34/60] platform/x86/amd/pmc: Add support for Van Gogh SoC Greg Kroah-Hartman
2025-12-10 7:30 ` [PATCH 6.17 35/60] platform/x86: hp-wmi: mark Victus 16-r0 and 16-s0 for victus_s fan and thermal profile support Greg Kroah-Hartman
2025-12-10 7:30 ` [PATCH 6.17 36/60] nvme: fix admin request_queue lifetime Greg Kroah-Hartman
2025-12-10 7:30 ` [PATCH 6.17 37/60] pinctrl: qcom: msm: Fix deadlock in pinmux configuration Greg Kroah-Hartman
2025-12-10 7:30 ` [PATCH 6.17 38/60] platform/x86: acer-wmi: Ignore backlight event Greg Kroah-Hartman
2025-12-10 7:30 ` [PATCH 6.17 39/60] HID: apple: Add SONiX AK870 PRO to non_apple_keyboards quirk list Greg Kroah-Hartman
2025-12-10 7:30 ` [PATCH 6.17 40/60] platform/x86: huawei-wmi: add keys for HONOR models Greg Kroah-Hartman
2025-12-10 7:30 ` [PATCH 6.17 41/60] platform/x86: intel-uncore-freq: Add additional client processors Greg Kroah-Hartman
2025-12-10 7:30 ` [PATCH 6.17 42/60] platform/x86/amd: pmc: Add Lenovo Legion Go 2 to pmc quirk list Greg Kroah-Hartman
2025-12-10 7:30 ` [PATCH 6.17 43/60] platform/x86/amd/pmc: Add spurious_8042 to Xbox Ally Greg Kroah-Hartman
2025-12-10 7:30 ` [PATCH 6.17 44/60] sched_ext: Fix possible deadlock in the deferred_irq_workfn() Greg Kroah-Hartman
2025-12-10 7:30 ` [PATCH 6.17 45/60] platform/x86/intel/hid: Add Nova Lake support Greg Kroah-Hartman
2025-12-10 7:30 ` [PATCH 6.17 46/60] HID: elecom: Add support for ELECOM M-XT3URBK (018F) Greg Kroah-Hartman
2025-12-10 7:30 ` [PATCH 6.17 47/60] sched_ext: Use IRQ_WORK_INIT_HARD() to initialize rq->scx.kick_cpus_irq_work Greg Kroah-Hartman
2025-12-10 7:30 ` [PATCH 6.17 48/60] LoongArch: Mask all interrupts during kexec/kdump Greg Kroah-Hartman
2025-12-10 7:30 ` [PATCH 6.17 49/60] samples: work around glibc redefining some of our defines wrong Greg Kroah-Hartman
2025-12-10 7:30 ` [PATCH 6.17 50/60] platform/x86: hp-wmi: Add Omen 16-wf1xxx fan support Greg Kroah-Hartman
2025-12-10 7:30 ` [PATCH 6.17 51/60] platform/x86: hp-wmi: Add Omen MAX 16-ah0xx fan support and thermal profile Greg Kroah-Hartman
2025-12-10 7:30 ` [PATCH 6.17 52/60] wifi: rtl8xxxu: Add USB ID 2001:3328 for D-Link AN3U rev. A1 Greg Kroah-Hartman
2025-12-10 7:30 ` [PATCH 6.17 53/60] wifi: rtw88: Add USB ID 2001:3329 for D-Link AC13U " Greg Kroah-Hartman
2025-12-10 7:30 ` [PATCH 6.17 54/60] iio: adc: ad4080: fix chip identification Greg Kroah-Hartman
2025-12-10 7:30 ` [PATCH 6.17 55/60] comedi: c6xdigio: Fix invalid PNP driver unregistration Greg Kroah-Hartman
2025-12-10 7:30 ` [PATCH 6.17 56/60] comedi: multiq3: sanitize config options in multiq3_attach() Greg Kroah-Hartman
2025-12-10 7:30 ` [PATCH 6.17 57/60] comedi: check devices attached status in compat ioctls Greg Kroah-Hartman
2025-12-10 7:30 ` [PATCH 6.17 58/60] staging: rtl8723bs: fix out-of-bounds read in rtw_get_ie() parser Greg Kroah-Hartman
2025-12-10 7:30 ` Greg Kroah-Hartman [this message]
2025-12-10 7:30 ` [PATCH 6.17 60/60] staging: rtl8723bs: fix out-of-bounds read in OnBeacon ESR IE parsing Greg Kroah-Hartman
2025-12-10 10:15 ` [PATCH 6.17 00/60] 6.17.12-rc1 review Brett A C Sheffield
2025-12-10 10:52 ` Jeffrin Thalakkottoor
2025-12-10 12:47 ` Greg Kroah-Hartman
2025-12-10 13:43 ` Jeffrin Thalakkottoor
2025-12-10 19:04 ` Brett A C Sheffield
2025-12-11 15:39 ` Jeffrin Thalakkottoor
2025-12-11 16:41 ` Brett A C Sheffield
2025-12-11 17:11 ` Jeffrin Thalakkottoor
2025-12-11 17:36 ` Jeffrin Thalakkottoor
2025-12-10 12:47 ` Achill Gilgenast
2025-12-10 13:00 ` Peter Schneider
2025-12-10 19:41 ` Florian Fainelli
2025-12-10 22:01 ` Ron Economos
2025-12-11 6:23 ` Naresh Kamboju
2025-12-11 9:11 ` Mark Brown
2025-12-11 10:02 ` Dileep malepu
2025-12-12 9:09 ` Jon Hunter
-- strict thread matches above, loose matches on Subject: below --
2025-12-10 7:29 [PATCH 6.12 00/49] 6.12.62-rc1 review Greg Kroah-Hartman
2025-12-10 7:29 ` [PATCH 6.12 01/49] xfrm: delete x->tunnel as we delete x Greg Kroah-Hartman
2025-12-10 7:29 ` [PATCH 6.12 02/49] Revert "xfrm: destroy xfrm_state synchronously on net exit path" Greg Kroah-Hartman
2025-12-10 7:29 ` [PATCH 6.12 03/49] xfrm: also call xfrm_state_delete_tunnel at destroy time for states that were never added Greg Kroah-Hartman
2025-12-10 7:29 ` [PATCH 6.12 04/49] xfrm: flush all states in xfrm_state_fini Greg Kroah-Hartman
2025-12-10 7:29 ` [PATCH 6.12 05/49] Documentation: process: Also mention Sasha Levin as stable tree maintainer Greg Kroah-Hartman
2025-12-10 7:29 ` [PATCH 6.12 06/49] jbd2: avoid bug_on in jbd2_journal_get_create_access() when file system corrupted Greg Kroah-Hartman
2025-12-10 7:29 ` [PATCH 6.12 07/49] ext4: refresh inline data size before write operations Greg Kroah-Hartman
2025-12-10 7:29 ` [PATCH 6.12 08/49] ksmbd: ipc: fix use-after-free in ipc_msg_send_request Greg Kroah-Hartman
2025-12-10 7:29 ` [PATCH 6.12 09/49] locking/spinlock/debug: Fix data-race in do_raw_write_lock Greg Kroah-Hartman
2025-12-10 7:29 ` [PATCH 6.12 10/49] ext4: add i_data_sem protection in ext4_destroy_inline_data_nolock() Greg Kroah-Hartman
2025-12-10 7:29 ` [PATCH 6.12 11/49] comedi: pcl818: fix null-ptr-deref in pcl818_ai_cancel() Greg Kroah-Hartman
2025-12-10 7:29 ` [PATCH 6.12 12/49] KVM: SVM: Dont skip unrelated instruction if INT3/INTO is replaced Greg Kroah-Hartman
2025-12-10 7:29 ` [PATCH 6.12 13/49] USB: serial: option: add Foxconn T99W760 Greg Kroah-Hartman
2025-12-10 7:29 ` [PATCH 6.12 14/49] USB: serial: option: add Telit Cinterion FE910C04 new compositions Greg Kroah-Hartman
2025-12-10 7:29 ` [PATCH 6.12 15/49] USB: serial: option: move Telit 0x10c7 composition in the right place Greg Kroah-Hartman
2025-12-10 7:29 ` [PATCH 6.12 16/49] USB: serial: ftdi_sio: match on interface number for jtag Greg Kroah-Hartman
2025-12-10 7:29 ` [PATCH 6.12 17/49] serial: add support of CPCI cards Greg Kroah-Hartman
2025-12-10 7:29 ` [PATCH 6.12 18/49] USB: serial: belkin_sa: fix TIOCMBIS and TIOCMBIC Greg Kroah-Hartman
2025-12-10 7:30 ` [PATCH 6.17 30/60] ALSA: usb-audio: Add native DSD quirks for PureAudio DAC series Greg Kroah-Hartman
2025-12-10 7:29 ` [PATCH 6.12 19/49] USB: serial: kobil_sct: fix TIOCMBIS and TIOCMBIC Greg Kroah-Hartman
2025-12-10 7:29 ` [PATCH 6.12 20/49] ftrace: bpf: Fix IPMODIFY + DIRECT in modify_ftrace_direct() Greg Kroah-Hartman
2025-12-10 7:29 ` [PATCH 6.12 21/49] spi: xilinx: increase number of retries before declaring stall Greg Kroah-Hartman
2025-12-10 7:29 ` [PATCH 6.12 22/49] spi: imx: keep dma request disabled before dma transfer setup Greg Kroah-Hartman
2025-12-10 7:29 ` [PATCH 6.12 23/49] drm/vmwgfx: Use kref in vmw_bo_dirty Greg Kroah-Hartman
2025-12-10 7:29 ` [PATCH 6.12 24/49] Bluetooth: btrtl: Avoid loading the config file on security chips Greg Kroah-Hartman
2025-12-10 7:29 ` [PATCH 6.12 25/49] smb: fix invalid username check in smb3_fs_context_parse_param() Greg Kroah-Hartman
2025-12-10 7:29 ` [PATCH 6.12 26/49] drm/amdkfd: Fix GPU mappings for APU after prefetch Greg Kroah-Hartman
2025-12-10 7:29 ` [PATCH 6.12 27/49] ALSA: usb-audio: Add native DSD quirks for PureAudio DAC series Greg Kroah-Hartman
2025-12-10 7:29 ` [PATCH 6.12 28/49] bfs: Reconstruct file type when loading from disk Greg Kroah-Hartman
2025-12-10 7:29 ` [PATCH 6.12 29/49] HID: hid-input: Extend Elan ignore battery quirk to USB Greg Kroah-Hartman
2025-12-10 7:30 ` [PATCH 6.12 30/49] nvme: fix admin request_queue lifetime Greg Kroah-Hartman
2025-12-10 7:30 ` [PATCH 6.12 31/49] pinctrl: qcom: msm: Fix deadlock in pinmux configuration Greg Kroah-Hartman
2025-12-10 7:30 ` [PATCH 6.12 32/49] platform/x86: acer-wmi: Ignore backlight event Greg Kroah-Hartman
2025-12-10 7:30 ` [PATCH 6.12 33/49] HID: apple: Add SONiX AK870 PRO to non_apple_keyboards quirk list Greg Kroah-Hartman
2025-12-10 7:30 ` [PATCH 6.12 34/49] platform/x86: huawei-wmi: add keys for HONOR models Greg Kroah-Hartman
2025-12-10 7:30 ` [PATCH 6.12 35/49] platform/x86/amd: pmc: Add Lenovo Legion Go 2 to pmc quirk list Greg Kroah-Hartman
2025-12-10 7:30 ` [PATCH 6.12 36/49] platform/x86/amd/pmc: Add spurious_8042 to Xbox Ally Greg Kroah-Hartman
2025-12-10 7:30 ` [PATCH 6.12 37/49] HID: elecom: Add support for ELECOM M-XT3URBK (018F) Greg Kroah-Hartman
2025-12-10 7:30 ` [PATCH 6.12 38/49] LoongArch: Mask all interrupts during kexec/kdump Greg Kroah-Hartman
2025-12-10 7:30 ` [PATCH 6.12 39/49] samples: work around glibc redefining some of our defines wrong Greg Kroah-Hartman
2025-12-10 7:30 ` [PATCH 6.12 40/49] wifi: rtl8xxxu: Add USB ID 2001:3328 for D-Link AN3U rev. A1 Greg Kroah-Hartman
2025-12-10 7:30 ` [PATCH 6.12 41/49] wifi: rtw88: Add USB ID 2001:3329 for D-Link AC13U " Greg Kroah-Hartman
2025-12-10 7:30 ` [PATCH 6.12 42/49] comedi: c6xdigio: Fix invalid PNP driver unregistration Greg Kroah-Hartman
2025-12-10 7:30 ` [PATCH 6.12 43/49] comedi: multiq3: sanitize config options in multiq3_attach() Greg Kroah-Hartman
2025-12-10 7:30 ` [PATCH 6.12 44/49] comedi: check devices attached status in compat ioctls Greg Kroah-Hartman
2025-12-10 7:30 ` [PATCH 6.12 45/49] staging: rtl8723bs: fix out-of-bounds read in rtw_get_ie() parser Greg Kroah-Hartman
2025-12-10 7:30 ` [PATCH 6.12 46/49] staging: rtl8723bs: fix stack buffer overflow in OnAssocReq IE parsing Greg Kroah-Hartman
2025-12-10 7:30 ` [PATCH 6.12 47/49] staging: rtl8723bs: fix out-of-bounds read in OnBeacon ESR " Greg Kroah-Hartman
2025-12-10 7:30 ` [PATCH 6.12 48/49] bus: mhi: host: pci_generic: Add Telit FN920C04 modem support Greg Kroah-Hartman
2025-12-10 7:30 ` [PATCH 6.12 49/49] bus: mhi: host: pci_generic: Add Telit FN990B40 " Greg Kroah-Hartman
2025-12-10 10:15 ` [PATCH 6.12 00/49] 6.12.62-rc1 review Brett A C Sheffield
2025-12-10 11:22 ` Jeffrin Thalakkottoor
2025-12-10 12:33 ` Peter Schneider
2025-12-10 19:26 ` Florian Fainelli
2025-12-10 20:12 ` Brett Mastbergen
2025-12-10 20:40 ` Hardik Garg
2025-12-10 22:11 ` Ron Economos
2025-12-11 6:55 ` Naresh Kamboju
2025-12-11 9:06 ` Mark Brown
2025-12-11 10:31 ` Dileep malepu
2025-12-12 9:09 ` Jon Hunter
2025-12-13 16:31 ` Guenter Roeck
2025-12-14 1:24 ` Huacai Chen
2025-12-16 10:20 ` Greg Kroah-Hartman
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20251210072949.334782839@linuxfoundation.org \
--to=gregkh@linuxfoundation.org \
--cc=knavaneeth786@gmail.com \
--cc=patches@lists.linux.dev \
--cc=stable@kernel.org \
--cc=stable@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).