* [PATCH] staging: rtl8723bs: fix negative length in WEP decryption
@ 2026-04-04 23:02 Delene Tchio Romuald
2026-04-05 11:02 ` Jose A. Perez de Azpillaga
0 siblings, 1 reply; 2+ messages in thread
From: Delene Tchio Romuald @ 2026-04-04 23:02 UTC (permalink / raw)
To: gregkh; +Cc: linux-staging, linux-kernel, Delene Tchio Romuald, stable
In rtw_wep_decrypt(), length is declared as signed int and computed as:
length = len - hdrlen - iv_len;
If the received frame is shorter than the combined header and IV
lengths, length becomes negative. It is then passed to arc4_crypt()
which takes a u32 parameter, causing the negative value to be
implicitly cast to a very large unsigned value (e.g., -8 becomes
4294967288). This results in a massive out-of-bounds read and write
on the heap via arc4_crypt(), and a similar overflow at the
subsequent crc32_le() call using length - 4.
Add a minimum frame length check before the subtraction to ensure
length is always positive.
Cc: stable@vger.kernel.org
Signed-off-by: Delene Tchio Romuald <delenetchior1@gmail.com>
---
drivers/staging/rtl8723bs/core/rtw_security.c | 6 ++++++
1 file changed, 6 insertions(+)
diff --git a/drivers/staging/rtl8723bs/core/rtw_security.c b/drivers/staging/rtl8723bs/core/rtw_security.c
index b489babe7..807f4f3c7 100644
--- a/drivers/staging/rtl8723bs/core/rtw_security.c
+++ b/drivers/staging/rtl8723bs/core/rtw_security.c
@@ -113,6 +113,12 @@ void rtw_wep_decrypt(struct adapter *padapter, u8 *precvframe)
memcpy(&wepkey[0], iv, 3);
/* memcpy(&wepkey[3], &psecuritypriv->dot11DefKey[psecuritypriv->dot11PrivacyKeyIndex].skey[0], keylength); */
memcpy(&wepkey[3], &psecuritypriv->dot11DefKey[keyindex].skey[0], keylength);
+
+ /* Ensure the frame is long enough for WEP decryption */
+ if (((union recv_frame *)precvframe)->u.hdr.len <=
+ prxattrib->hdrlen + prxattrib->iv_len)
+ return;
+
length = ((union recv_frame *)precvframe)->u.hdr.len - prxattrib->hdrlen - prxattrib->iv_len;
payload = pframe + prxattrib->iv_len + prxattrib->hdrlen;
--
2.43.0
^ permalink raw reply related [flat|nested] 2+ messages in thread
* Re: [PATCH] staging: rtl8723bs: fix negative length in WEP decryption
2026-04-04 23:02 [PATCH] staging: rtl8723bs: fix negative length in WEP decryption Delene Tchio Romuald
@ 2026-04-05 11:02 ` Jose A. Perez de Azpillaga
0 siblings, 0 replies; 2+ messages in thread
From: Jose A. Perez de Azpillaga @ 2026-04-05 11:02 UTC (permalink / raw)
To: Delene Tchio Romuald; +Cc: gregkh, linux-staging, linux-kernel, stable
On Sun, Apr 05, 2026 at 12:02:48AM +0100, Delene Tchio Romuald wrote:
> In rtw_wep_decrypt(), length is declared as signed int and computed as:
>
> length = len - hdrlen - iv_len;
>
> If the received frame is shorter than the combined header and IV
> lengths, length becomes negative. It is then passed to arc4_crypt()
> which takes a u32 parameter, causing the negative value to be
> implicitly cast to a very large unsigned value (e.g., -8 becomes
> 4294967288). This results in a massive out-of-bounds read and write
> on the heap via arc4_crypt(), and a similar overflow at the
> subsequent crc32_le() call using length - 4.
>
> Add a minimum frame length check before the subtraction to ensure
> length is always positive.
>
> Cc: stable@vger.kernel.org
since you cc'd stable, a Fixes tag is needed.
...
--
regards,
jose a. p-a
^ permalink raw reply [flat|nested] 2+ messages in thread
end of thread, other threads:[~2026-04-05 11:02 UTC | newest]
Thread overview: 2+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2026-04-04 23:02 [PATCH] staging: rtl8723bs: fix negative length in WEP decryption Delene Tchio Romuald
2026-04-05 11:02 ` Jose A. Perez de Azpillaga
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox