From mboxrd@z Thu Jan  1 00:00:00 1970
Received: from mail-vk1-f176.google.com (mail-vk1-f176.google.com [209.85.221.176])
	(using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits))
	(No client certificate requested)
	by smtp.subspace.kernel.org (Postfix) with ESMTPS id 4AA8C339844
	for <linux-kernel@vger.kernel.org>; Sun,  5 Apr 2026 10:17:46 +0000 (UTC)
Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=209.85.221.176
ARC-Seal:i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116;
	t=1775384269; cv=none; b=aNehxpuoAtmb0sJ85UXdboubhq7czIXAY8uI1EaFksZi9gpj+DGNJW+pvPn40VQLNaX6C9T7LU/niO9FIZNTOKPM2Utlzicmj6SqU22PIHvF1ba4TtTAeBBCG31F0goW3lsigythbWQhC066zyaG65Y5XYfKyErcCSuC97F1Di8=
ARC-Message-Signature:i=1; a=rsa-sha256; d=subspace.kernel.org;
	s=arc-20240116; t=1775384269; c=relaxed/simple;
	bh=WvXwoqID+W+qQF7PnB69MiuKzHz4ZGK/2zS7Kb1WCJA=;
	h=From:To:Cc:Subject:Date:Message-ID:In-Reply-To:References:
	 MIME-Version; b=WPLKBngOgYoe2fNMmmh0Zd5VM2briVQCJNS9++FiWltnUgaHqcIG1qsvGCt6bv5QHAXcI0CaJspeMkgniAbaODZYWPlmewxdUtCc05Y4oEjPfHD6pipl2fFwWQuQ/w7dZhH1ccS3dqOb+/wzboscmN7KGj8N73y8Zb/OJroStls=
ARC-Authentication-Results:i=1; smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=gmail.com; spf=pass smtp.mailfrom=gmail.com; dkim=pass (2048-bit key) header.d=gmail.com header.i=@gmail.com header.b=gRzRN264; arc=none smtp.client-ip=209.85.221.176
Authentication-Results: smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=gmail.com
Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=gmail.com
Authentication-Results: smtp.subspace.kernel.org;
	dkim=pass (2048-bit key) header.d=gmail.com header.i=@gmail.com header.b="gRzRN264"
Received: by mail-vk1-f176.google.com with SMTP id 71dfb90a1353d-56a9076813bso1308641e0c.3
        for <linux-kernel@vger.kernel.org>; Sun, 05 Apr 2026 03:17:46 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=gmail.com; s=20251104; t=1775384265; x=1775989065; darn=vger.kernel.org;
        h=content-transfer-encoding:mime-version:references:in-reply-to
         :message-id:date:subject:cc:to:from:from:to:cc:subject:date
         :message-id:reply-to;
        bh=4n5p+dCyDkNnPBsGngHUJndKG7h0qsW6y+KF0M7NEV8=;
        b=gRzRN2644Hguj3eiEbLvGHmaC3BjvL0B+8hkZCF6Ac+59QpyLpoTxsukmzyawuS8mw
         l5dZTxaZ0n3xkapQnAAtosSXsaYIyr9hOvegF8B+FU46g/ZwSVq9c+tkfQhZh67YSZQu
         9KnzI2ljV70wnRYjowKpw6eF1z3372C2tapCJp+Xp1HAhABMwsk645N/NdgYpephhuBL
         F4oc/eyBO27Xyp+IkJbUmhCUp+QMwI1GmaiJaUKICGFX7OjOHVistxQwRuk5qd6V4Rka
         lh0grhQfCCsVm7VoSBu5bsKm9nb0xBpYtxsL6lGXj4ofnax2uLrn5JMfH9LD1GGwuIpW
         1XSA==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=1e100.net; s=20251104; t=1775384265; x=1775989065;
        h=content-transfer-encoding:mime-version:references:in-reply-to
         :message-id:date:subject:cc:to:from:x-gm-gg:x-gm-message-state:from
         :to:cc:subject:date:message-id:reply-to;
        bh=4n5p+dCyDkNnPBsGngHUJndKG7h0qsW6y+KF0M7NEV8=;
        b=P0JuIR15BXmHFAPVcOVGCIGXsSCN3czdG/cvmBfRSOBm0or4dZLiaABOHJLMu7kKI2
         YkfNzVaGU41sQDlTKPJDXkrMFDfF2pAAOVTnLR49SAhUxZx3OWYWJ+mEu0PJt/poUZVD
         ORVLbBjsVBzskOjThPyViXx1DylOiuwfAkbTO7IXYKPDCa820hSCkxcmXOG/eYrhuPVl
         P/vdZVo2EALdgV5mlENwqKAP13tbQjAUlEGOf0fZwB0qout8cpQhJ+95dZ9kx0PW1je/
         Q9OV0zjtwtPMw7TrIGKp3/ZjwYjLVHftdkBtacLE5zG/En+1A1ecTfnY6+jtKMVACMwz
         sIPA==
X-Forwarded-Encrypted: i=1; AJvYcCVkT1f92ahYp3zJf/d3hwnGORk9mMJUImRw+5PLnldDoiHtHU9JGEWTJcFEgbkgqolcnyo6sjNm2JchsNo=@vger.kernel.org
X-Gm-Message-State: AOJu0YxsUL3aoaZWCJDfn8osocV1y9R4hZMeYEPyPwV/mSnD1sJSTbzr
	eZW1XMGE+NaMWjeHS9spGDpUigJX7xJhocJeXFXkXt6nAg3Z4dB6LgSW
X-Gm-Gg: AeBDieutvaAVP34T6nJtOoLxT86sFx+Lh06qeH04J8CytlnEe18b9gqn3IpoKv0O+aS
	XHLEvYQDIlbu4jT8MquGyhjD9rLLKIo8TtOJPWPGtawK3Ah5r855hvNBexOrr20kb9sWkIMXKl8
	YlKy/othny2yRFcRgwxKsbQf1h28zGx6O7KHW8tH5Q2D0VQr2ABPpymmNPlsignYUwEHLTpZRUy
	0Lt2COgNmzl98k6v/jxAqnxkMOXGBd4WR/MTt7yQF1QjmMqcenYqGjSCmu7rJ2B0TX8N7pPL7T6
	X9G1JSRLW4xhBmsMhlqiq59yYvJPCl0urV5yL4hGqrjhtWgPejjDSo0HOjTdqlgBHku1PW1EcEw
	pqXqiB3O8q7McH0xIZn03m+Gr1GzRbENypxWNGB0gq0nWTxwzlk/bmNsFXzh2+OArK8MHZUiAl9
	It17ehBHRzu74Q62I6ReDyw1nCtleogyEvZzs1WoUy
X-Received: by 2002:a05:6102:4a88:b0:605:38d2:26d1 with SMTP id ada2fe7eead31-605a4f65a2dmr3497198137.15.1775384265193;
        Sun, 05 Apr 2026 03:17:45 -0700 (PDT)
Received: from localhost.localdomain ([102.244.98.15])
        by smtp.gmail.com with ESMTPSA id a1e0cc1a2514c-953fb897b8dsm10473385241.7.2026.04.05.03.17.40
        (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256);
        Sun, 05 Apr 2026 03:17:44 -0700 (PDT)
From: Delene Tchio Romuald <delenetchior1@gmail.com>
To: gregkh@linuxfoundation.org
Cc: Ethan Tidmore <ethantidmore06@gmail.com>,
	Sam Daly <sam@samdaly.ie>,
	linux-staging@lists.linux.dev,
	linux-kernel@vger.kernel.org,
	Delene Tchio Romuald <delenetchior1@gmail.com>
Subject: [PATCH v3 5/5] staging: rtl8723bs: fix negative length in WEP decryption
Date: Sun,  5 Apr 2026 11:15:48 +0100
Message-ID: <20260405101548.124829-6-delenetchior1@gmail.com>
X-Mailer: git-send-email 2.43.0
In-Reply-To: <20260405101548.124829-1-delenetchior1@gmail.com>
References: <20260405101548.124829-1-delenetchior1@gmail.com>
Precedence: bulk
X-Mailing-List: linux-kernel@vger.kernel.org
List-Id: <linux-kernel.vger.kernel.org>
List-Subscribe: <mailto:linux-kernel+subscribe@vger.kernel.org>
List-Unsubscribe: <mailto:linux-kernel+unsubscribe@vger.kernel.org>
MIME-Version: 1.0
Content-Transfer-Encoding: 8bit

In rtw_wep_decrypt(), length is declared as signed int and computed as:

  length = len - hdrlen - iv_len;

If the received frame is shorter than the combined header and IV
lengths, length becomes negative. It is then passed to arc4_crypt()
which takes a u32 parameter, causing the negative value to be
implicitly cast to a very large unsigned value (e.g., -8 becomes
4294967288). This results in a massive out-of-bounds read and write
on the heap via arc4_crypt(), and a similar overflow at the
subsequent crc32_le() call using length - 4.

Add a minimum frame length check before the subtraction to ensure
length is always positive.

Found by reviewing memory operations in the driver.
Not tested on hardware.

Signed-off-by: Delene Tchio Romuald <delenetchior1@gmail.com>
---
v3:
 - Rebased on staging-next
 - Sent as numbered series with proper Cc from get_maintainer.pl

 drivers/staging/rtl8723bs/core/rtw_security.c | 6 ++++++
 1 file changed, 6 insertions(+)

diff --git a/drivers/staging/rtl8723bs/core/rtw_security.c b/drivers/staging/rtl8723bs/core/rtw_security.c
index a00504ff29109..f3bc2240749a4 100644
--- a/drivers/staging/rtl8723bs/core/rtw_security.c
+++ b/drivers/staging/rtl8723bs/core/rtw_security.c
@@ -113,6 +113,12 @@ void rtw_wep_decrypt(struct adapter  *padapter, u8 *precvframe)
 		memcpy(&wepkey[0], iv, 3);
 		/* memcpy(&wepkey[3], &psecuritypriv->dot11DefKey[psecuritypriv->dot11PrivacyKeyIndex].skey[0], keylength); */
 		memcpy(&wepkey[3], &psecuritypriv->dot11DefKey[keyindex].skey[0], keylength);
+
+		/* Ensure the frame is long enough for WEP decryption */
+		if (((union recv_frame *)precvframe)->u.hdr.len <=
+		    prxattrib->hdrlen + prxattrib->iv_len)
+			return;
+
 		length = ((union recv_frame *)precvframe)->u.hdr.len - prxattrib->hdrlen - prxattrib->iv_len;
 
 		payload = pframe + prxattrib->iv_len + prxattrib->hdrlen;
-- 
2.43.0