[PATCH v8 0/1] staging: rtl8723bs: fix missing frame length checks in OnAuth()

[Alexandru Hossu <hossu.alexandru@gmail.com>]

v8, addressing the sashiko review comments on v7.

The Challenge Text IE checks from v7 patch 1 and the OnAuthClient
frame length checks from v7 patch 2 are already in your tree:

  9d6d63cf3c37 ("staging: rtl8723bs: fix heap overflow in OnAuthClient shared key path")
  6ad4395aab1e ("staging: rtl8723bs: fix missing frame length checks in OnAuthClient")

This single patch adds the remaining fix: frame length guards for the
AP-mode handler OnAuth().

What changed in v8 (compared to v7 patch 2/2):

  - The len < WLAN_HDR_A3_LEN guard uses return _FAIL instead of goto
    auth_fail.  The auth_fail block calls memcpy(pstat->hwaddr, sa, ...)
    to build a rejection frame.  At that point sa has not been
    initialised, so goto auth_fail would copy stack garbage into the
    rejection frame's destination address.  Since we cannot build a
    meaningful rejection without knowing the sender, return _FAIL is
    the correct choice.

  - A new guard is added before the iv[3] key-index read inside the
    GetPrivacy() branch.  When the Privacy bit is set, the code computes
    iv = pframe + WLAN_HDR_A3_LEN and immediately reads iv[3] without
    verifying that len >= WLAN_HDR_A3_LEN + 4.  This was a new OOB read
    path not present in any earlier version of the patch.

  - The len < WLAN_HDR_A3_LEN + offset + 4 check now sets
    status = WLAN_STATUS_UNSPECIFIED_FAILURE before goto auth_fail so
    that the rejection frame carries a defined status code rather than
    whatever happened to be on the stack.

Alexandru Hossu (1):
  staging: rtl8723bs: fix missing frame length checks in OnAuth()

 drivers/staging/rtl8723bs/core/rtw_mlme_ext.c | 11 +++++++++++
 1 file changed, 11 insertions(+)
--
2.53.0