From: Greg KH <gregkh@linuxfoundation.org>
To: Alexandru Hossu <hossu.alexandru@gmail.com>
Cc: linux-staging@lists.linux.dev, linux-kernel@vger.kernel.org,
dan.carpenter@linaro.org, hansg@kernel.org,
stable@vger.kernel.org, Dan Carpenter <error27@gmail.com>
Subject: Re: [PATCH v2] staging: rtl8723bs: fix missing frame length checks in OnAuthClient
Date: Tue, 14 Apr 2026 19:08:38 +0200 [thread overview]
Message-ID: <2026041427-revisable-snipping-0fe9@gregkh> (raw)
In-Reply-To: <20260414145350.903996-1-hossu.alexandru@gmail.com>
On Tue, Apr 14, 2026 at 04:53:50PM +0200, Alexandru Hossu wrote:
> OnAuthClient() accesses pframe without first verifying that pkt_len is
> large enough to contain a valid 802.11 management frame header:
>
> - get_da(pframe) reads bytes 4-9, requiring pkt_len >= 10
> - GetPrivacy(pframe) reads the FC field at bytes 0-1
>
> Additionally, when pkt_len < WLAN_HDR_A3_LEN + _AUTH_IE_OFFSET_ the
> unsigned subtraction passed to rtw_get_ie() wraps around, causing it
> to scan well past the end of the buffer.
>
> Add an early check against WLAN_HDR_A3_LEN before any pframe access,
> and a second check against WLAN_HDR_A3_LEN + offset + 6 after computing
> offset to guard the seq/status reads and the rtw_get_ie() call.
>
> Reported-by: Dan Carpenter <error27@gmail.com>
> Fixes: 554c0a3abf21 ("staging: Add rtl8723bs sdio wifi driver")
> Cc: stable@vger.kernel.org
> Signed-off-by: Alexandru Hossu <hossu.alexandru@gmail.com>
> ---
> drivers/staging/rtl8723bs/core/rtw_mlme_ext.c | 6 ++++++
> 1 file changed, 6 insertions(+)
>
> diff --git a/drivers/staging/rtl8723bs/core/rtw_mlme_ext.c b/drivers/staging/rtl8723bs/core/rtw_mlme_ext.c
> index 90f27665667a..884cd39ec756 100644
> --- a/drivers/staging/rtl8723bs/core/rtw_mlme_ext.c
> +++ b/drivers/staging/rtl8723bs/core/rtw_mlme_ext.c
> @@ -860,6 +860,9 @@ unsigned int OnAuthClient(struct adapter *padapter, union recv_frame *precv_fram
> u8 *pframe = precv_frame->u.hdr.rx_data;
> uint pkt_len = precv_frame->u.hdr.len;
>
> + if (pkt_len < WLAN_HDR_A3_LEN)
> + goto authclnt_fail;
> +
> /* check A1 matches or not */
> if (memcmp(myid(&(padapter->eeprompriv)), get_da(pframe), ETH_ALEN))
> return _SUCCESS;
> @@ -869,6 +872,9 @@ unsigned int OnAuthClient(struct adapter *padapter, union recv_frame *precv_fram
>
> offset = (GetPrivacy(pframe)) ? 4 : 0;
>
> + if (pkt_len < WLAN_HDR_A3_LEN + offset + 6)
> + goto authclnt_fail;
> +
> seq = le16_to_cpu(*(__le16 *)((SIZE_PTR)pframe + WLAN_HDR_A3_LEN + offset + 2));
> status = le16_to_cpu(*(__le16 *)((SIZE_PTR)pframe + WLAN_HDR_A3_LEN + offset + 4));
>
> --
> 2.53.0
>
>
Hi,
This is the friendly patch-bot of Greg Kroah-Hartman. You have sent him
a patch that has triggered this response. He used to manually respond
to these common problems, but in order to save his sanity (he kept
writing the same thing over and over, yet to different people), I was
created. Hopefully you will not take offence and will fix the problem
in your patch and resubmit it so that it can be accepted into the Linux
kernel tree.
You are receiving this message because of the following common error(s)
as indicated below:
- This looks like a new version of a previously submitted patch, but you
did not list below the --- line any changes from the previous version.
Please read the section entitled "The canonical patch format" in the
kernel file, Documentation/process/submitting-patches.rst for what
needs to be done here to properly describe this.
If you wish to discuss this problem further, or you have questions about
how to resolve this issue, please feel free to respond to this email and
Greg will reply once he has dug out from the pending patches received
from other developers.
thanks,
greg k-h's patch email bot
next prev parent reply other threads:[~2026-04-14 17:09 UTC|newest]
Thread overview: 15+ messages / expand[flat|nested] mbox.gz Atom feed top
2026-04-13 20:28 [PATCH] staging: rtl8723bs: fix heap overflow in OnAuthClient shared key path Alexandru Hossu
2026-04-14 6:19 ` Dan Carpenter
2026-04-14 6:22 ` Alexandru Hossu
2026-04-14 10:08 ` [PATCH] staging: rtl8723bs: fix frame length underflow in OnAuthClient Alexandru Hossu
2026-04-14 12:48 ` Dan Carpenter
2026-04-14 14:28 ` Alexandru Hossu
2026-04-14 14:53 ` [PATCH v2] staging: rtl8723bs: fix missing frame length checks " Alexandru Hossu
2026-04-14 17:08 ` Greg KH [this message]
-- strict thread matches above, loose matches on Subject: below --
2026-04-14 21:39 Alexandru Hossu
2026-04-15 4:47 ` Luka Gejak
2026-04-15 4:56 ` Greg KH
2026-04-15 5:17 ` Luka Gejak
2026-04-15 5:18 ` Luka Gejak
2026-04-15 5:22 ` Luka Gejak
2026-04-15 8:47 ` Dan Carpenter
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=2026041427-revisable-snipping-0fe9@gregkh \
--to=gregkh@linuxfoundation.org \
--cc=dan.carpenter@linaro.org \
--cc=error27@gmail.com \
--cc=hansg@kernel.org \
--cc=hossu.alexandru@gmail.com \
--cc=linux-kernel@vger.kernel.org \
--cc=linux-staging@lists.linux.dev \
--cc=stable@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox