From: Dan Carpenter <error27@gmail.com>
To: Alexandru Hossu <hossu.alexandru@gmail.com>
Cc: gregkh@linuxfoundation.org, linux-staging@lists.linux.dev
Subject: Re: [PATCH 3/3] staging: rtl8723bs: fix heap buffer overflow in rtw_cfg80211_set_wpa_ie()
Date: Sat, 25 Apr 2026 15:10:58 +0300 [thread overview]
Message-ID: <aeyvUlS9bbEkSGzr@stanley.mountain> (raw)
In-Reply-To: <20260424151932.3734611-4-hossu.alexandru@gmail.com>
On Fri, Apr 24, 2026 at 05:19:32PM +0200, Alexandru Hossu wrote:
> supplicant_ie is a 256-byte array in struct security_priv. The WPA and
> WPA2 IE copy paths use:
>
> memcpy(padapter->securitypriv.supplicant_ie, &pwpa[0], wpa_ielen + 2);
>
> where wpa_ielen is the raw IE length field (u8, 0-255). When a local user
> supplies a connect request via nl80211 with a crafted WPA IE of length 255,
> wpa_ielen + 2 equals 257, overflowing the 256-byte buffer by one byte into
> the adjacent last_mic_err_time field.
>
> rtw_parse_wpa_ie() does not prevent this: its length consistency check
> compares *(wpa_ie+1) against (u8)(wpa_ie_len-2), which is (u8)(255) == 255
> when wpa_ie_len = 257, so the check passes silently.
>
> Add explicit bounds checks for both the WPA and WPA2 paths before the
> memcpy, rejecting any IE whose total size (wpa_ielen + 2) exceeds the
> supplicant_ie buffer.
>
> Signed-off-by: Alexandru Hossu <hossu.alexandru@gmail.com>
> ---
> drivers/staging/rtl8723bs/os_dep/ioctl_cfg80211.c | 8 ++++++++
> 1 file changed, 8 insertions(+)
>
> diff --git a/drivers/staging/rtl8723bs/os_dep/ioctl_cfg80211.c b/drivers/staging/rtl8723bs/os_dep/ioctl_cfg80211.c
> index fd3bae31b0ed..e7ba5ccfa03c 100644
> --- a/drivers/staging/rtl8723bs/os_dep/ioctl_cfg80211.c
> +++ b/drivers/staging/rtl8723bs/os_dep/ioctl_cfg80211.c
> @@ -1445,6 +1445,10 @@ static int rtw_cfg80211_set_wpa_ie(struct adapter *padapter, u8 *pie, size_t iel
>
> pwpa = rtw_get_wpa_ie(buf, &wpa_ielen, ielen);
The rtw_get_wpa_ie() function is pretty suspect... :P
KTODO: Fix the buffer overflows in rtw_get_wpa_ie()
Otherwise this patch looks like it fixes a real bug and doesn't introduce
any regressions...
regards,
dan carpenter
next prev parent reply other threads:[~2026-04-25 12:11 UTC|newest]
Thread overview: 7+ messages / expand[flat|nested] mbox.gz Atom feed top
2026-04-24 15:19 [PATCH 0/3] staging: rtl8723bs: fix OOB reads and heap overflow in IE parsing Alexandru Hossu
2026-04-24 15:19 ` [PATCH 1/3] staging: rtl8723bs: fix OOB read in update_beacon_info() IE loop Alexandru Hossu
2026-04-25 11:42 ` Dan Carpenter
2026-04-24 15:19 ` [PATCH 2/3] staging: rtl8723bs: fix OOB reads in IE loops in issue_assocreq() and join_cmd_hdl() Alexandru Hossu
2026-04-24 15:19 ` [PATCH 3/3] staging: rtl8723bs: fix heap buffer overflow in rtw_cfg80211_set_wpa_ie() Alexandru Hossu
2026-04-25 12:10 ` Dan Carpenter [this message]
2026-04-24 16:05 ` [PATCH 0/3] staging: rtl8723bs: fix OOB reads and heap overflow in IE parsing Luka Gejak
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=aeyvUlS9bbEkSGzr@stanley.mountain \
--to=error27@gmail.com \
--cc=gregkh@linuxfoundation.org \
--cc=hossu.alexandru@gmail.com \
--cc=linux-staging@lists.linux.dev \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox