[PATCH 0/2] staging: rtl8723bs: fix two remote frame-handling bugs

Linux wireless drivers development
 help / color / mirror / Atom feed

* [PATCH 0/2] staging: rtl8723bs: fix two remote frame-handling bugs
@ 2026-05-12  1:44 Shayaun Nejad
  2026-05-12  1:44 ` [PATCH 1/2] staging: rtl8723bs: fix use-after-free in validate_80211w_mgmt after decryptor() Shayaun Nejad
  2026-05-12  1:44 ` [PATCH 2/2] staging: rtl8723bs: bound SUPP_RATES IE length in rtw_check_beacon_data Shayaun Nejad
  0 siblings, 2 replies; 4+ messages in thread
From: Shayaun Nejad @ 2026-05-12  1:44 UTC (permalink / raw)
  To: Greg Kroah-Hartman
  Cc: linux-staging, linux-wireless, linux-kernel, stable,
	Shayaun Nejad

Fix two rtl8723bs receive-side bugs reachable while handling remote
802.11 management frames.

The first patch fixes a use-after-free in validate_80211w_mgmt(),
where decryptor() can release the receive frame and return NULL before
the caller reuses cached pointers into that frame.

The second patch bounds the combined SUPP_RATES and EXT_SUPP_RATES IE
lengths copied from beacon/probe response data into the 16-byte
support_rate[] stack buffer in rtw_check_beacon_data().

Both issues were found by Kuzushi + deep-audit (Sonnet 4.6) and
manually verified against mainline.

Shayaun Nejad (2):
  staging: rtl8723bs: fix use-after-free in validate_80211w_mgmt after
    decryptor()
  staging: rtl8723bs: bound SUPP_RATES IE length in
    rtw_check_beacon_data

 drivers/staging/rtl8723bs/core/rtw_ap.c   | 6 +++++-
 drivers/staging/rtl8723bs/core/rtw_recv.c | 9 +++++++--
 2 files changed, 12 insertions(+), 3 deletions(-)

-- 
2.43.0

^ permalink raw reply	[flat|nested] 4+ messages in thread

* [PATCH 1/2] staging: rtl8723bs: fix use-after-free in validate_80211w_mgmt after decryptor()
  2026-05-12  1:44 [PATCH 0/2] staging: rtl8723bs: fix two remote frame-handling bugs Shayaun Nejad
@ 2026-05-12  1:44 ` Shayaun Nejad
  2026-05-12  1:44 ` [PATCH 2/2] staging: rtl8723bs: bound SUPP_RATES IE length in rtw_check_beacon_data Shayaun Nejad
  1 sibling, 0 replies; 4+ messages in thread
From: Shayaun Nejad @ 2026-05-12  1:44 UTC (permalink / raw)
  To: Greg Kroah-Hartman
  Cc: linux-staging, linux-wireless, linux-kernel, stable,
	Shayaun Nejad

decryptor() can release precv_frame and return NULL when protected
management frame decryption fails.

validate_80211w_mgmt() still uses ptr and pattrib saved from that frame
for two memcpy() calls before checking the returned frame pointer.

Check the returned frame before any further access, then refresh ptr and
pattrib from the returned frame.

Fixes: 554c0a3abf21 ("staging: Add rtl8723bs sdio wifi driver")
Cc: stable@vger.kernel.org
Signed-off-by: Shayaun Nejad <snejad123@gmail.com>
---
 drivers/staging/rtl8723bs/core/rtw_recv.c | 9 +++++++--
 1 file changed, 7 insertions(+), 2 deletions(-)

diff --git a/drivers/staging/rtl8723bs/core/rtw_recv.c b/drivers/staging/rtl8723bs/core/rtw_recv.c
index f78194d508..0e1d248d8f 100644
--- a/drivers/staging/rtl8723bs/core/rtw_recv.c
+++ b/drivers/staging/rtl8723bs/core/rtw_recv.c
@@ -1433,6 +1433,13 @@ static signed int validate_80211w_mgmt(struct adapter *adapter, union recv_frame
 			if (!mgmt_DATA)
 				goto validate_80211w_fail;
 			precv_frame = decryptor(adapter, precv_frame);
+			if (!precv_frame) {
+				kfree(mgmt_DATA);
+				goto validate_80211w_fail;
+			}
+
+			pattrib = &precv_frame->u.hdr.attrib;
+			ptr = precv_frame->u.hdr.rx_data;
 			/* save actual management data frame body */
 			memcpy(mgmt_DATA, ptr + pattrib->hdrlen + pattrib->iv_len, data_len);
 			/* overwrite the iv field */
@@ -1440,8 +1447,6 @@ static signed int validate_80211w_mgmt(struct adapter *adapter, union recv_frame
 			/* remove the iv and icv length */
 			pattrib->pkt_len = pattrib->pkt_len - pattrib->iv_len - pattrib->icv_len;
 			kfree(mgmt_DATA);
-			if (!precv_frame)
-				goto validate_80211w_fail;
 		} else if (is_multicast_ether_addr(GetAddr1Ptr(ptr)) &&
 			(subtype == WIFI_DEAUTH || subtype == WIFI_DISASSOC)) {
 			signed int BIP_ret = _SUCCESS;
-- 
2.43.0


^ permalink raw reply related	[flat|nested] 4+ messages in thread

* [PATCH 2/2] staging: rtl8723bs: bound SUPP_RATES IE length in rtw_check_beacon_data
  2026-05-12  1:44 [PATCH 0/2] staging: rtl8723bs: fix two remote frame-handling bugs Shayaun Nejad
  2026-05-12  1:44 ` [PATCH 1/2] staging: rtl8723bs: fix use-after-free in validate_80211w_mgmt after decryptor() Shayaun Nejad
@ 2026-05-12  1:44 ` Shayaun Nejad
  2026-05-12  7:37   ` Dan Carpenter
  1 sibling, 1 reply; 4+ messages in thread
From: Shayaun Nejad @ 2026-05-12  1:44 UTC (permalink / raw)
  To: Greg Kroah-Hartman
  Cc: linux-staging, linux-wireless, linux-kernel, stable,
	Shayaun Nejad

rtw_check_beacon_data() copies SUPP_RATES and EXT_SUPP_RATES IE
payloads into a 16-byte support_rate[] buffer.

The IE lengths are used directly, so oversized rate IEs can overflow the
stack buffer.

Clamp the supported rates copy and the combined extended supported rates
copy to NDIS_802_11_LENGTH_RATES_EX.

Fixes: 554c0a3abf21 ("staging: Add rtl8723bs sdio wifi driver")
Cc: stable@vger.kernel.org
Signed-off-by: Shayaun Nejad <snejad123@gmail.com>
---
 drivers/staging/rtl8723bs/core/rtw_ap.c | 6 +++++-
 1 file changed, 5 insertions(+), 1 deletion(-)

diff --git a/drivers/staging/rtl8723bs/core/rtw_ap.c b/drivers/staging/rtl8723bs/core/rtw_ap.c
index 4b40124110..363ecb02b5 100644
--- a/drivers/staging/rtl8723bs/core/rtw_ap.c
+++ b/drivers/staging/rtl8723bs/core/rtw_ap.c
@@ -873,6 +873,7 @@ int rtw_check_beacon_data(struct adapter *padapter, u8 *pbuf,  int len)
 		       &ie_len,
 		       (pbss_network->ie_length - _BEACON_IE_OFFSET_));
 	if (p) {
+		ie_len = min_t(uint, ie_len, NDIS_802_11_LENGTH_RATES_EX);
 		memcpy(support_rate, p + 2, ie_len);
 		support_rate_num = ie_len;
 	}
@@ -882,8 +883,11 @@ int rtw_check_beacon_data(struct adapter *padapter, u8 *pbuf,  int len)
 		       WLAN_EID_EXT_SUPP_RATES,
 		       &ie_len,
 		       pbss_network->ie_length - _BEACON_IE_OFFSET_);
-	if (p)
+	if (p && support_rate_num < NDIS_802_11_LENGTH_RATES_EX) {
+		ie_len = min_t(uint, ie_len,
+			       NDIS_802_11_LENGTH_RATES_EX - support_rate_num);
 		memcpy(support_rate + support_rate_num, p + 2, ie_len);
+	}
 
 	network_type = rtw_check_network_type(support_rate, channel);
 
-- 
2.43.0


^ permalink raw reply related	[flat|nested] 4+ messages in thread

* Re: [PATCH 2/2] staging: rtl8723bs: bound SUPP_RATES IE length in rtw_check_beacon_data
  2026-05-12  1:44 ` [PATCH 2/2] staging: rtl8723bs: bound SUPP_RATES IE length in rtw_check_beacon_data Shayaun Nejad
@ 2026-05-12  7:37   ` Dan Carpenter
  0 siblings, 0 replies; 4+ messages in thread
From: Dan Carpenter @ 2026-05-12  7:37 UTC (permalink / raw)
  To: Shayaun Nejad
  Cc: Greg Kroah-Hartman, linux-staging, linux-wireless, linux-kernel,
	stable

On Mon, May 11, 2026 at 06:44:56PM -0700, Shayaun Nejad wrote:
> rtw_check_beacon_data() copies SUPP_RATES and EXT_SUPP_RATES IE
> payloads into a 16-byte support_rate[] buffer.
> 
> The IE lengths are used directly, so oversized rate IEs can overflow the
> stack buffer.
> 
> Clamp the supported rates copy and the combined extended supported rates
> copy to NDIS_802_11_LENGTH_RATES_EX.
> 
> Fixes: 554c0a3abf21 ("staging: Add rtl8723bs sdio wifi driver")
> Cc: stable@vger.kernel.org
> Signed-off-by: Shayaun Nejad <snejad123@gmail.com>
> ---
>  drivers/staging/rtl8723bs/core/rtw_ap.c | 6 +++++-
>  1 file changed, 5 insertions(+), 1 deletion(-)
> 
> diff --git a/drivers/staging/rtl8723bs/core/rtw_ap.c b/drivers/staging/rtl8723bs/core/rtw_ap.c
> index 4b40124110..363ecb02b5 100644
> --- a/drivers/staging/rtl8723bs/core/rtw_ap.c
> +++ b/drivers/staging/rtl8723bs/core/rtw_ap.c
> @@ -873,6 +873,7 @@ int rtw_check_beacon_data(struct adapter *padapter, u8 *pbuf,  int len)
>  		       &ie_len,
>  		       (pbss_network->ie_length - _BEACON_IE_OFFSET_));
>  	if (p) {
> +		ie_len = min_t(uint, ie_len, NDIS_802_11_LENGTH_RATES_EX);

These days we would use umin()

>  		memcpy(support_rate, p + 2, ie_len);
>  		support_rate_num = ie_len;

support_rate_num is set here.  We know from the min_t() that it's less
<= NDIS_802_11_LENGTH_RATES_EX.

>  	}
> @@ -882,8 +883,11 @@ int rtw_check_beacon_data(struct adapter *padapter, u8 *pbuf,  int len)
>  		       WLAN_EID_EXT_SUPP_RATES,
>  		       &ie_len,
>  		       pbss_network->ie_length - _BEACON_IE_OFFSET_);
> -	if (p)
> +	if (p && support_rate_num < NDIS_802_11_LENGTH_RATES_EX) {

We know that support_rate_num <= NDIS_802_11_LENGTH_RATES_EX.  Allowing
== NDIS_802_11_LENGTH_RATES_EX is okay because memcpy() of zero bytes is
a no-op.

> +		ie_len = min_t(uint, ie_len,
> +			       NDIS_802_11_LENGTH_RATES_EX - support_rate_num);

Use umin() here too.

Otherwise the patch is fine.

regards,
dan carpenter

>  		memcpy(support_rate + support_rate_num, p + 2, ie_len);
> +	}
>  
>  	network_type = rtw_check_network_type(support_rate, channel);
>  
> -- 
> 2.43.0
> 

^ permalink raw reply	[flat|nested] 4+ messages in thread

end of thread, other threads:[~2026-05-12  7:37 UTC | newest]

Thread overview: 4+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2026-05-12  1:44 [PATCH 0/2] staging: rtl8723bs: fix two remote frame-handling bugs Shayaun Nejad
2026-05-12  1:44 ` [PATCH 1/2] staging: rtl8723bs: fix use-after-free in validate_80211w_mgmt after decryptor() Shayaun Nejad
2026-05-12  1:44 ` [PATCH 2/2] staging: rtl8723bs: bound SUPP_RATES IE length in rtw_check_beacon_data Shayaun Nejad
2026-05-12  7:37   ` Dan Carpenter

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox