From: Delene Tchio Romuald <delenetchior1@gmail.com>
To: gregkh@linuxfoundation.org
Cc: dan.carpenter@linaro.org, error27@gmail.com,
luka.gejak@linux.dev, hansg@kernel.org,
linux-staging@lists.linux.dev, linux-kernel@vger.kernel.org,
stable@vger.kernel.org,
Delene Tchio Romuald <delenetchior1@gmail.com>
Subject: [PATCH v4 0/5] staging: rtl8723bs: fix multiple security vulnerabilities
Date: Wed, 15 Apr 2026 19:54:56 +0100 [thread overview]
Message-ID: <20260415185501.440492-1-delenetchior1@gmail.com> (raw)
This series fixes five remotely-triggerable memory safety issues in
the rtl8723bs driver. All of them are reachable from the air by an
attacker within WiFi radio range, without authentication, via
crafted management or data frames:
1. Heap buffer overflow in recvframe_defrag() when reassembling
fragmented frames whose total payload exceeds the receive
buffer capacity.
2. Integer underflow in TKIP MIC verification when a frame is
shorter than the sum of header, IV, ICV and MIC sizes.
3. Out-of-bounds read in portctrl() when a non-EAPOL frame is
shorter than the 802.11 header + IV + LLC + ether_type.
4. Out-of-bounds reads in three IE walkers (rtw_get_wapi_ie(),
rtw_get_sec_ie(), rtw_get_wps_ie()) due to missing validation
of the TLV length byte.
5. Integer underflow in rtw_wep_decrypt() when a WEP frame is
shorter than the header + IV.
Each patch was found by code review and is not tested on hardware.
Changes since v3:
- Patch 1/5 (recvframe_defrag): check the return values of
recvframe_pull() and recvframe_pull_tail(); on failure those
helpers revert their pointer updates and return NULL, so the
subsequent rx_end - rx_tail bounds check must not run on stale
pointers (Dan Carpenter).
- Patch 1/5: drop the unnecessary (uint) cast in the bounds
check (Dan Carpenter).
- All patches: add Fixes: tag pointing at the driver import and
add the stable backport tag, per Dan Carpenter's request.
- Patches 2-5: carry Reviewed-by: Luka Gejak. Patch 1/5 lost
Luka's tag because the code changed.
Changes since v2:
- Sent as numbered series with cover letter.
- Cc list regenerated from scripts/get_maintainer.pl.
Changes since v1:
- Rebased on staging-next (v1 was based on v7.0-rc6 and did not
apply).
Delene Tchio Romuald (5):
staging: rtl8723bs: fix heap buffer overflow in recvframe_defrag()
staging: rtl8723bs: fix integer underflow in TKIP MIC verification
staging: rtl8723bs: fix out-of-bounds read in portctrl()
staging: rtl8723bs: fix out-of-bounds reads in IE parsing functions
staging: rtl8723bs: fix negative length in WEP decryption
.../staging/rtl8723bs/core/rtw_ieee80211.c | 15 ++++-
drivers/staging/rtl8723bs/core/rtw_recv.c | 55 ++++++++++++++-----
drivers/staging/rtl8723bs/core/rtw_security.c | 6 ++
3 files changed, 60 insertions(+), 16 deletions(-)
base-commit: bf9c95f3eeefb7fc4b4a6380cc23f1dca744e379
--
2.43.0
next reply other threads:[~2026-04-15 18:55 UTC|newest]
Thread overview: 11+ messages / expand[flat|nested] mbox.gz Atom feed top
2026-04-15 18:54 Delene Tchio Romuald [this message]
2026-04-15 18:54 ` [PATCH v4 1/5] staging: rtl8723bs: fix heap buffer overflow in recvframe_defrag() Delene Tchio Romuald
2026-04-15 19:56 ` Dan Carpenter
2026-04-15 18:54 ` [PATCH v4 2/5] staging: rtl8723bs: fix integer underflow in TKIP MIC verification Delene Tchio Romuald
2026-04-15 18:54 ` [PATCH v4 3/5] staging: rtl8723bs: fix out-of-bounds read in portctrl() Delene Tchio Romuald
2026-04-16 16:36 ` Dan Carpenter
2026-04-16 17:44 ` Luka Gejak
2026-04-15 18:55 ` [PATCH v4 4/5] staging: rtl8723bs: fix out-of-bounds reads in IE parsing functions Delene Tchio Romuald
2026-04-16 16:44 ` Dan Carpenter
2026-04-15 18:55 ` [PATCH v4 5/5] staging: rtl8723bs: fix negative length in WEP decryption Delene Tchio Romuald
2026-04-16 16:46 ` Dan Carpenter
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20260415185501.440492-1-delenetchior1@gmail.com \
--to=delenetchior1@gmail.com \
--cc=dan.carpenter@linaro.org \
--cc=error27@gmail.com \
--cc=gregkh@linuxfoundation.org \
--cc=hansg@kernel.org \
--cc=linux-kernel@vger.kernel.org \
--cc=linux-staging@lists.linux.dev \
--cc=luka.gejak@linux.dev \
--cc=stable@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox