From mboxrd@z Thu Jan 1 00:00:00 1970 Received: from mail-vs1-f47.google.com (mail-vs1-f47.google.com [209.85.217.47]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id 9D8B733F5BE for ; Sun, 5 Apr 2026 10:17:29 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=209.85.217.47 ARC-Seal:i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1775384252; cv=none; b=UzlI4mSMQDWZSrIVYWeHneP8aaKXTGcEWsxD7jbBzc7KYO9MNoWkr3cv5oGcMaWaN8dgiqPsyOXoN5fCNhPAc2+Rt7Ls9lzKI0K0Ri2/Et33XnNppxl6ve3DX2SbpeL8MjyiGI3Cu9YQUufBYuDxh0nYA0lEl/FLG6kfm/IEiwE= ARC-Message-Signature:i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1775384252; c=relaxed/simple; bh=B8QYfDSeOgxGEDorbedsncUkQOeOjsJbGsULmtil6w4=; h=From:To:Cc:Subject:Date:Message-ID:In-Reply-To:References: MIME-Version; b=aHTg+QjM0MjKaKBtqGaH5MjxAnVway22pbRdgVhQ5Av4aZPY3NzuKxaL0vrIRndvX8k2adRQRBVg40wmcvWAToBp0wDCrpU4I6EgLVEJzqJOHb2uY0qNciIGqmddsixEfB2c2Zx+MOiOYwKl6Aj7u+Yjqk4RsPGhj3NNZWf4wN0= ARC-Authentication-Results:i=1; smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=gmail.com; spf=pass smtp.mailfrom=gmail.com; dkim=pass (2048-bit key) header.d=gmail.com header.i=@gmail.com header.b=IKA8ewlT; arc=none smtp.client-ip=209.85.217.47 Authentication-Results: smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=gmail.com Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=gmail.com Authentication-Results: smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=gmail.com header.i=@gmail.com header.b="IKA8ewlT" Received: by mail-vs1-f47.google.com with SMTP id ada2fe7eead31-6058a955e04so2089954137.0 for ; Sun, 05 Apr 2026 03:17:29 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20251104; t=1775384248; x=1775989048; darn=vger.kernel.org; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:from:to:cc:subject:date :message-id:reply-to; bh=GSy6ct2enUeFQArxBAW1+GtdbKYWzb2RBJip/SzgHBQ=; b=IKA8ewlTSz6jQgLmrDlFPVUO4EGrXngH3jzGJ8gErc8M9UdcjTtdz5SRE2kb1bYBVU hCMMB9frEJ0KuSPo/OjcBABqRWt6ugetme1+8GB56nr0shpIp047kxaQADhe4dFE49q0 IUAarZBiR6dsJjTEirTVKRhIxk/w8GVo1AOaCAXA5kwza97BzrR8+fi6VDBCDe6yjV5g 8mytVp52yU6VXYXHJ/UG3/PfalssqKYiff2PCY4zBVQ6vkhTebNMmyI7gxQdmHc8WDi7 8KDZI6uQBJ34nP22yY+aC5F3QtGMbU1bDYamafBZaFqvYY15j0hWn6heI80V+ukiEIlw dluA== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20251104; t=1775384248; x=1775989048; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:x-gm-gg:x-gm-message-state:from :to:cc:subject:date:message-id:reply-to; bh=GSy6ct2enUeFQArxBAW1+GtdbKYWzb2RBJip/SzgHBQ=; b=i9B2zcI7syAWQsoDUjqgjAgDXdcYB2ZrKN0iY9ypPGcXlouVd1k8uRIoawHp8WHdf0 hvMrReaBfTPJ32FLdJogO/CqV8g8uODzojTOPaCfKHOWOr44cGnImD62nhCG/GgoN3Fj Yo0RYL9O83Oy0doWJS96RPwYebcho/r2WpsWtkEXiKGQnoh3J6j14WXeOzGKtVk10cON msUk0XNvt7iGJzcfUpkLEFt8ZYaDCPNVfW26QmZvRxGcviGdIJYaHpl8ga1VuVVuW4np vWxg9AfEi6hvLitZtoXgCeUT+81Tk0vJIaI/1kpb5gDFVvfWlBpGHeNTLALtw1IQbx5A LT8w== X-Forwarded-Encrypted: i=1; AJvYcCXjLYMWjupJWXi/epP29tvmXYfv0C3dpe7U/+espRTA1CF4q2FcmUZz6UNdG8k/aU8wZO7Hj37MfhnBs9k=@vger.kernel.org X-Gm-Message-State: AOJu0YwecvdVojec/aeIAM+giAKc7rDkD/VgazM+7PLpaCOJLeRz0idc TmguE1k1is9fbK8xBGag6E4M3/Zq/bx93F2tkcfQOGTouaxterooc4sTdmrJ2QW7 X-Gm-Gg: AeBDiesOqteIVwdbgEl/eLvjecHewoMZLc/4BJuDfFPnmjDyqt2p7uxNLIObrsJQMNg VOElMpqtt4VKZMgdxkF4WkxrKiZaKtQYQBarIPDTzv4kYzidF0p9SlhX+p6cFh/9C6PjCaA15sG VhEc+0s0BRw68s/vMZi4uL1eOW9nq+t67URUEcjwh0NiyFf0KmwE/VkFSXyHA7slffR64B5qW06 WfrLeG7m1hb3GaLOpTPHuJA1xtQqa3MyOXTRZk5HQpHQgFJt0rpoEWy3qXxpSyBakFr6DVes5T+ LNpqF2IjI0SmbF4Jun5U6lxjZFMTbNPUyYTV6XNIuLrDjc+j+en6Nou4Cw07Q+mz+v78XtZgshr BIk+yD/3xKI11O0k5MeiLzZVoC4P7cHQZP9s8BYPgM5qcQEWX1OWhG5RCTdOavGYN5ahgGef0Ac Oz+kR54mpvXZBBeWMVuBJRkVzbh5AFNq6DG2XYotSa X-Received: by 2002:a05:6102:508a:b0:600:d0f:bacf with SMTP id ada2fe7eead31-6058a87bddamr3874571137.11.1775384248563; Sun, 05 Apr 2026 03:17:28 -0700 (PDT) Received: from localhost.localdomain ([102.244.98.15]) by smtp.gmail.com with ESMTPSA id a1e0cc1a2514c-953fb897b8dsm10473385241.7.2026.04.05.03.17.25 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Sun, 05 Apr 2026 03:17:28 -0700 (PDT) From: Delene Tchio Romuald To: gregkh@linuxfoundation.org Cc: Ethan Tidmore , Sam Daly , linux-staging@lists.linux.dev, linux-kernel@vger.kernel.org, Delene Tchio Romuald Subject: [PATCH v3 1/5] staging: rtl8723bs: fix heap buffer overflow in recvframe_defrag() Date: Sun, 5 Apr 2026 11:15:44 +0100 Message-ID: <20260405101548.124829-2-delenetchior1@gmail.com> X-Mailer: git-send-email 2.43.0 In-Reply-To: <20260405101548.124829-1-delenetchior1@gmail.com> References: <20260405101548.124829-1-delenetchior1@gmail.com> Precedence: bulk X-Mailing-List: linux-kernel@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 Content-Transfer-Encoding: 8bit In recvframe_defrag(), a memcpy() copies fragment data into the reassembly buffer before recvframe_put() validates that the buffer has sufficient space. If the total reassembled payload exceeds the receive buffer capacity, this results in a heap buffer overflow. An attacker within WiFi radio range can exploit this by sending crafted 802.11 fragmented frames. No authentication is required. Add a bounds check before the memcpy() to verify that the fragment payload fits within the remaining buffer space, using the same error handling pattern already present in the function. Found by reviewing memory operations in the driver and tracing buffer pointer manipulation through rtw_recv.h inline helpers. Not tested on hardware. Signed-off-by: Delene Tchio Romuald --- v3: - Rebased on staging-next - Sent as numbered series with proper Cc from get_maintainer.pl v2: - Rebased on staging-next (v1 was based on v7.0-rc6 and did not apply) - Removed Cc: stable (will be added by maintainer) drivers/staging/rtl8723bs/core/rtw_recv.c | 8 +++++++- 1 file changed, 7 insertions(+), 1 deletion(-) diff --git a/drivers/staging/rtl8723bs/core/rtw_recv.c b/drivers/staging/rtl8723bs/core/rtw_recv.c index f78194d508dfc..717e0594d983a 100644 --- a/drivers/staging/rtl8723bs/core/rtw_recv.c +++ b/drivers/staging/rtl8723bs/core/rtw_recv.c @@ -1132,7 +1132,13 @@ static union recv_frame *recvframe_defrag(struct adapter *adapter, /* append to first fragment frame's tail (if privacy frame, pull the ICV) */ recvframe_pull_tail(prframe, pfhdr->attrib.icv_len); - /* memcpy */ + /* Verify the receiving buffer has enough space for the fragment */ + if (pnfhdr->len > (uint)(pfhdr->rx_end - pfhdr->rx_tail)) { + rtw_free_recvframe(prframe, pfree_recv_queue); + rtw_free_recvframe_queue(defrag_q, pfree_recv_queue); + return NULL; + } + memcpy(pfhdr->rx_tail, pnfhdr->rx_data, pnfhdr->len); recvframe_put(prframe, pnfhdr->len); -- 2.43.0