* [PATCH] staging: rtl8723bs: fix heap overflow in OnAuthClient shared key path
@ 2026-04-13 20:28 Alexandru Hossu
2026-04-14 6:19 ` Dan Carpenter
` (3 more replies)
0 siblings, 4 replies; 15+ messages in thread
From: Alexandru Hossu @ 2026-04-13 20:28 UTC (permalink / raw)
To: gregkh
Cc: linux-staging, linux-kernel, dan.carpenter, hansg, stable,
Alexandru Hossu
rtw_get_ie() returns the raw IE length from the received frame, which
can be up to 255. This length is used directly in memcpy() into
chg_txt[128] with no bounds check, allowing a heap overflow of up to
127 bytes when a rogue AP sends an Auth seq=2 frame with a Challenge
Text IE longer than 128 bytes.
IEEE 802.11 mandates the Challenge Text element carries exactly 128
bytes of challenge data. Reject any element whose length field does not
match sizeof(pmlmeinfo->chg_txt) (128).
Fixes: 554c0a3abf21 ("staging: Add rtl8723bs sdio wifi driver")
Cc: stable@vger.kernel.org
Signed-off-by: Alexandru Hossu <hossu.alexandru@gmail.com>
---
drivers/staging/rtl8723bs/core/rtw_mlme_ext.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/drivers/staging/rtl8723bs/core/rtw_mlme_ext.c b/drivers/staging/rtl8723bs/core/rtw_mlme_ext.c
index 5f00fe282d1b..90f27665667a 100644
--- a/drivers/staging/rtl8723bs/core/rtw_mlme_ext.c
+++ b/drivers/staging/rtl8723bs/core/rtw_mlme_ext.c
@@ -891,7 +891,7 @@ unsigned int OnAuthClient(struct adapter *padapter, union recv_frame *precv_fram
p = rtw_get_ie(pframe + WLAN_HDR_A3_LEN + _AUTH_IE_OFFSET_, WLAN_EID_CHALLENGE, (int *)&len,
pkt_len - WLAN_HDR_A3_LEN - _AUTH_IE_OFFSET_);
- if (!p)
+ if (!p || len != sizeof(pmlmeinfo->chg_txt))
goto authclnt_fail;
memcpy(pmlmeinfo->chg_txt, p + 2, len);
--
2.53.0
^ permalink raw reply related [flat|nested] 15+ messages in thread
* Re: [PATCH] staging: rtl8723bs: fix heap overflow in OnAuthClient shared key path
2026-04-13 20:28 [PATCH] staging: rtl8723bs: fix heap overflow in OnAuthClient shared key path Alexandru Hossu
@ 2026-04-14 6:19 ` Dan Carpenter
2026-04-14 6:22 ` Alexandru Hossu
` (2 subsequent siblings)
3 siblings, 0 replies; 15+ messages in thread
From: Dan Carpenter @ 2026-04-14 6:19 UTC (permalink / raw)
To: Alexandru Hossu
Cc: gregkh, linux-staging, linux-kernel, dan.carpenter, hansg, stable
On Mon, Apr 13, 2026 at 10:28:24PM +0200, Alexandru Hossu wrote:
> rtw_get_ie() returns the raw IE length from the received frame, which
> can be up to 255. This length is used directly in memcpy() into
> chg_txt[128] with no bounds check, allowing a heap overflow of up to
> 127 bytes when a rogue AP sends an Auth seq=2 frame with a Challenge
> Text IE longer than 128 bytes.
>
> IEEE 802.11 mandates the Challenge Text element carries exactly 128
> bytes of challenge data. Reject any element whose length field does not
> match sizeof(pmlmeinfo->chg_txt) (128).
>
> Fixes: 554c0a3abf21 ("staging: Add rtl8723bs sdio wifi driver")
> Cc: stable@vger.kernel.org
> Signed-off-by: Alexandru Hossu <hossu.alexandru@gmail.com>
Looks good.
Reviewed-by: Dan Carpenter <error27@gmail.com>
> ---
> drivers/staging/rtl8723bs/core/rtw_mlme_ext.c | 2 +-
> 1 file changed, 1 insertion(+), 1 deletion(-)
>
> diff --git a/drivers/staging/rtl8723bs/core/rtw_mlme_ext.c b/drivers/staging/rtl8723bs/core/rtw_mlme_ext.c
> index 5f00fe282d1b..90f27665667a 100644
> --- a/drivers/staging/rtl8723bs/core/rtw_mlme_ext.c
> +++ b/drivers/staging/rtl8723bs/core/rtw_mlme_ext.c
> @@ -891,7 +891,7 @@ unsigned int OnAuthClient(struct adapter *padapter, union recv_frame *precv_fram
> p = rtw_get_ie(pframe + WLAN_HDR_A3_LEN + _AUTH_IE_OFFSET_, WLAN_EID_CHALLENGE, (int *)&len,
^^^^^^
Do we know that pframe has enough data?
KTODO: check if pframe is large enough in OnAuthClient()
regards,
dan carpenter
> pkt_len - WLAN_HDR_A3_LEN - _AUTH_IE_OFFSET_);
>
> - if (!p)
> + if (!p || len != sizeof(pmlmeinfo->chg_txt))
> goto authclnt_fail;
^ permalink raw reply [flat|nested] 15+ messages in thread
* Re: [PATCH] staging: rtl8723bs: fix heap overflow in OnAuthClient shared key path
2026-04-13 20:28 [PATCH] staging: rtl8723bs: fix heap overflow in OnAuthClient shared key path Alexandru Hossu
2026-04-14 6:19 ` Dan Carpenter
@ 2026-04-14 6:22 ` Alexandru Hossu
2026-04-14 10:08 ` [PATCH] staging: rtl8723bs: fix frame length underflow in OnAuthClient Alexandru Hossu
2026-04-14 14:53 ` [PATCH v2] staging: rtl8723bs: fix missing frame length checks " Alexandru Hossu
3 siblings, 0 replies; 15+ messages in thread
From: Alexandru Hossu @ 2026-04-14 6:22 UTC (permalink / raw)
To: dan.carpenter
Cc: linux-staging, linux-kernel, gregkh, hansg, stable,
hossu.alexandru
[-- Attachment #1: Type: text/plain, Size: 672 bytes --]
On Tue, Apr 14, 2026 at 08:19:00AM +0000, Dan Carpenter wrote:
> Looks good.
>
> Reviewed-by: Dan Carpenter <error27@gmail.com>
>
> p = rtw_get_ie(pframe + WLAN_HDR_A3_LEN + _AUTH_IE_OFFSET_, WLAN_EID_CHALLENGE, (int *)&len,
> ^^^^^^
> Do we know that pframe has enough data?
>
> KTODO: check if pframe is large enough in OnAuthClient()
Good catch. There's no minimum length check before the subtraction,
so a frame shorter than WLAN_HDR_A3_LEN + _AUTH_IE_OFFSET_ (30 bytes)
would cause pkt_len to underflow since it's unsigned. I'll send a
follow-up patch adding the check.
Thanks for the review.
Alexandru
^ permalink raw reply [flat|nested] 15+ messages in thread
* [PATCH] staging: rtl8723bs: fix frame length underflow in OnAuthClient
2026-04-13 20:28 [PATCH] staging: rtl8723bs: fix heap overflow in OnAuthClient shared key path Alexandru Hossu
2026-04-14 6:19 ` Dan Carpenter
2026-04-14 6:22 ` Alexandru Hossu
@ 2026-04-14 10:08 ` Alexandru Hossu
2026-04-14 12:48 ` Dan Carpenter
2026-04-14 14:28 ` Alexandru Hossu
2026-04-14 14:53 ` [PATCH v2] staging: rtl8723bs: fix missing frame length checks " Alexandru Hossu
3 siblings, 2 replies; 15+ messages in thread
From: Alexandru Hossu @ 2026-04-14 10:08 UTC (permalink / raw)
To: gregkh
Cc: linux-staging, linux-kernel, dan.carpenter, hansg, stable,
hossu.alexandru, Dan Carpenter
If pkt_len is less than WLAN_HDR_A3_LEN + offset + 6, the reads of
the seq and status fields go beyond the frame buffer. Additionally,
when pkt_len < WLAN_HDR_A3_LEN + _AUTH_IE_OFFSET_ (30 bytes), the
subtraction passed to rtw_get_ie() wraps around since pkt_len is
unsigned, causing rtw_get_ie() to scan well past the end of the buffer.
Add a minimum length check after computing offset to reject frames
that are too short before any fixed field access.
Reported-by: Dan Carpenter <error27@gmail.com>
Fixes: 554c0a3abf21 ("staging: Add rtl8723bs sdio wifi driver")
Cc: stable@vger.kernel.org
Signed-off-by: Alexandru Hossu <hossu.alexandru@gmail.com>
---
drivers/staging/rtl8723bs/core/rtw_mlme_ext.c | 3 +++
1 file changed, 3 insertions(+)
diff --git a/drivers/staging/rtl8723bs/core/rtw_mlme_ext.c b/drivers/staging/rtl8723bs/core/rtw_mlme_ext.c
index 90f27665667a..6b0ac54ad3d4 100644
--- a/drivers/staging/rtl8723bs/core/rtw_mlme_ext.c
+++ b/drivers/staging/rtl8723bs/core/rtw_mlme_ext.c
@@ -869,6 +869,9 @@ unsigned int OnAuthClient(struct adapter *padapter, union recv_frame *precv_fram
offset = (GetPrivacy(pframe)) ? 4 : 0;
+ if (pkt_len < WLAN_HDR_A3_LEN + offset + 6)
+ goto authclnt_fail;
+
seq = le16_to_cpu(*(__le16 *)((SIZE_PTR)pframe + WLAN_HDR_A3_LEN + offset + 2));
status = le16_to_cpu(*(__le16 *)((SIZE_PTR)pframe + WLAN_HDR_A3_LEN + offset + 4));
--
2.53.0
^ permalink raw reply related [flat|nested] 15+ messages in thread
* Re: [PATCH] staging: rtl8723bs: fix frame length underflow in OnAuthClient
2026-04-14 10:08 ` [PATCH] staging: rtl8723bs: fix frame length underflow in OnAuthClient Alexandru Hossu
@ 2026-04-14 12:48 ` Dan Carpenter
2026-04-14 14:28 ` Alexandru Hossu
1 sibling, 0 replies; 15+ messages in thread
From: Dan Carpenter @ 2026-04-14 12:48 UTC (permalink / raw)
To: Alexandru Hossu
Cc: gregkh, linux-staging, linux-kernel, dan.carpenter, hansg, stable
On Tue, Apr 14, 2026 at 12:08:04PM +0200, Alexandru Hossu wrote:
> If pkt_len is less than WLAN_HDR_A3_LEN + offset + 6, the reads of
> the seq and status fields go beyond the frame buffer. Additionally,
> when pkt_len < WLAN_HDR_A3_LEN + _AUTH_IE_OFFSET_ (30 bytes), the
> subtraction passed to rtw_get_ie() wraps around since pkt_len is
> unsigned, causing rtw_get_ie() to scan well past the end of the buffer.
>
> Add a minimum length check after computing offset to reject frames
> that are too short before any fixed field access.
>
> Reported-by: Dan Carpenter <error27@gmail.com>
> Fixes: 554c0a3abf21 ("staging: Add rtl8723bs sdio wifi driver")
> Cc: stable@vger.kernel.org
> Signed-off-by: Alexandru Hossu <hossu.alexandru@gmail.com>
> ---
> drivers/staging/rtl8723bs/core/rtw_mlme_ext.c | 3 +++
> 1 file changed, 3 insertions(+)
>
> diff --git a/drivers/staging/rtl8723bs/core/rtw_mlme_ext.c b/drivers/staging/rtl8723bs/core/rtw_mlme_ext.c
> index 90f27665667a..6b0ac54ad3d4 100644
> --- a/drivers/staging/rtl8723bs/core/rtw_mlme_ext.c
> +++ b/drivers/staging/rtl8723bs/core/rtw_mlme_ext.c
> @@ -869,6 +869,9 @@ unsigned int OnAuthClient(struct adapter *padapter, union recv_frame *precv_fram
>
> offset = (GetPrivacy(pframe)) ? 4 : 0;
^^^^^^
Do we know for sure that this is within bounds? And there is earlier
code which pokes in pframe as well. This code is quite complicated.
I looked at how to do bounds checking but it all seems pretty
complicated to me and I haven't investigated this enough to know the
right answers.
regards,
dan carpenter
>
> + if (pkt_len < WLAN_HDR_A3_LEN + offset + 6)
> + goto authclnt_fail;
> +
> seq = le16_to_cpu(*(__le16 *)((SIZE_PTR)pframe + WLAN_HDR_A3_LEN + offset + 2));
> status = le16_to_cpu(*(__le16 *)((SIZE_PTR)pframe + WLAN_HDR_A3_LEN + offset + 4));
>
> --
> 2.53.0
^ permalink raw reply [flat|nested] 15+ messages in thread
* Re: [PATCH] staging: rtl8723bs: fix frame length underflow in OnAuthClient
2026-04-14 10:08 ` [PATCH] staging: rtl8723bs: fix frame length underflow in OnAuthClient Alexandru Hossu
2026-04-14 12:48 ` Dan Carpenter
@ 2026-04-14 14:28 ` Alexandru Hossu
1 sibling, 0 replies; 15+ messages in thread
From: Alexandru Hossu @ 2026-04-14 14:28 UTC (permalink / raw)
To: dan.carpenter
Cc: gregkh, linux-staging, linux-kernel, hansg, stable,
hossu.alexandru
[-- Attachment #1: Type: text/plain, Size: 484 bytes --]
On Tue, Apr 14, 2026 at 03:02:00PM +0000, Dan Carpenter wrote:
> Do we know for sure that this is within bounds? And there is earlier
> code which pokes in pframe as well. This code is quite complicated.
You're right, I missed that. get_da(pframe) at the top of the function
already accesses pframe+4..+9, and GetPrivacy() reads the FC field,
both without any length check. I'll add an early check against
WLAN_HDR_A3_LEN before any pframe access and send a v2.
Thanks,
Alexandru
^ permalink raw reply [flat|nested] 15+ messages in thread
* [PATCH v2] staging: rtl8723bs: fix missing frame length checks in OnAuthClient
2026-04-13 20:28 [PATCH] staging: rtl8723bs: fix heap overflow in OnAuthClient shared key path Alexandru Hossu
` (2 preceding siblings ...)
2026-04-14 10:08 ` [PATCH] staging: rtl8723bs: fix frame length underflow in OnAuthClient Alexandru Hossu
@ 2026-04-14 14:53 ` Alexandru Hossu
2026-04-14 17:08 ` Greg KH
3 siblings, 1 reply; 15+ messages in thread
From: Alexandru Hossu @ 2026-04-14 14:53 UTC (permalink / raw)
To: gregkh
Cc: linux-staging, linux-kernel, dan.carpenter, hansg, stable,
hossu.alexandru, Dan Carpenter
OnAuthClient() accesses pframe without first verifying that pkt_len is
large enough to contain a valid 802.11 management frame header:
- get_da(pframe) reads bytes 4-9, requiring pkt_len >= 10
- GetPrivacy(pframe) reads the FC field at bytes 0-1
Additionally, when pkt_len < WLAN_HDR_A3_LEN + _AUTH_IE_OFFSET_ the
unsigned subtraction passed to rtw_get_ie() wraps around, causing it
to scan well past the end of the buffer.
Add an early check against WLAN_HDR_A3_LEN before any pframe access,
and a second check against WLAN_HDR_A3_LEN + offset + 6 after computing
offset to guard the seq/status reads and the rtw_get_ie() call.
Reported-by: Dan Carpenter <error27@gmail.com>
Fixes: 554c0a3abf21 ("staging: Add rtl8723bs sdio wifi driver")
Cc: stable@vger.kernel.org
Signed-off-by: Alexandru Hossu <hossu.alexandru@gmail.com>
---
drivers/staging/rtl8723bs/core/rtw_mlme_ext.c | 6 ++++++
1 file changed, 6 insertions(+)
diff --git a/drivers/staging/rtl8723bs/core/rtw_mlme_ext.c b/drivers/staging/rtl8723bs/core/rtw_mlme_ext.c
index 90f27665667a..884cd39ec756 100644
--- a/drivers/staging/rtl8723bs/core/rtw_mlme_ext.c
+++ b/drivers/staging/rtl8723bs/core/rtw_mlme_ext.c
@@ -860,6 +860,9 @@ unsigned int OnAuthClient(struct adapter *padapter, union recv_frame *precv_fram
u8 *pframe = precv_frame->u.hdr.rx_data;
uint pkt_len = precv_frame->u.hdr.len;
+ if (pkt_len < WLAN_HDR_A3_LEN)
+ goto authclnt_fail;
+
/* check A1 matches or not */
if (memcmp(myid(&(padapter->eeprompriv)), get_da(pframe), ETH_ALEN))
return _SUCCESS;
@@ -869,6 +872,9 @@ unsigned int OnAuthClient(struct adapter *padapter, union recv_frame *precv_fram
offset = (GetPrivacy(pframe)) ? 4 : 0;
+ if (pkt_len < WLAN_HDR_A3_LEN + offset + 6)
+ goto authclnt_fail;
+
seq = le16_to_cpu(*(__le16 *)((SIZE_PTR)pframe + WLAN_HDR_A3_LEN + offset + 2));
status = le16_to_cpu(*(__le16 *)((SIZE_PTR)pframe + WLAN_HDR_A3_LEN + offset + 4));
--
2.53.0
^ permalink raw reply related [flat|nested] 15+ messages in thread
* Re: [PATCH v2] staging: rtl8723bs: fix missing frame length checks in OnAuthClient
2026-04-14 14:53 ` [PATCH v2] staging: rtl8723bs: fix missing frame length checks " Alexandru Hossu
@ 2026-04-14 17:08 ` Greg KH
0 siblings, 0 replies; 15+ messages in thread
From: Greg KH @ 2026-04-14 17:08 UTC (permalink / raw)
To: Alexandru Hossu
Cc: linux-staging, linux-kernel, dan.carpenter, hansg, stable,
Dan Carpenter
On Tue, Apr 14, 2026 at 04:53:50PM +0200, Alexandru Hossu wrote:
> OnAuthClient() accesses pframe without first verifying that pkt_len is
> large enough to contain a valid 802.11 management frame header:
>
> - get_da(pframe) reads bytes 4-9, requiring pkt_len >= 10
> - GetPrivacy(pframe) reads the FC field at bytes 0-1
>
> Additionally, when pkt_len < WLAN_HDR_A3_LEN + _AUTH_IE_OFFSET_ the
> unsigned subtraction passed to rtw_get_ie() wraps around, causing it
> to scan well past the end of the buffer.
>
> Add an early check against WLAN_HDR_A3_LEN before any pframe access,
> and a second check against WLAN_HDR_A3_LEN + offset + 6 after computing
> offset to guard the seq/status reads and the rtw_get_ie() call.
>
> Reported-by: Dan Carpenter <error27@gmail.com>
> Fixes: 554c0a3abf21 ("staging: Add rtl8723bs sdio wifi driver")
> Cc: stable@vger.kernel.org
> Signed-off-by: Alexandru Hossu <hossu.alexandru@gmail.com>
> ---
> drivers/staging/rtl8723bs/core/rtw_mlme_ext.c | 6 ++++++
> 1 file changed, 6 insertions(+)
>
> diff --git a/drivers/staging/rtl8723bs/core/rtw_mlme_ext.c b/drivers/staging/rtl8723bs/core/rtw_mlme_ext.c
> index 90f27665667a..884cd39ec756 100644
> --- a/drivers/staging/rtl8723bs/core/rtw_mlme_ext.c
> +++ b/drivers/staging/rtl8723bs/core/rtw_mlme_ext.c
> @@ -860,6 +860,9 @@ unsigned int OnAuthClient(struct adapter *padapter, union recv_frame *precv_fram
> u8 *pframe = precv_frame->u.hdr.rx_data;
> uint pkt_len = precv_frame->u.hdr.len;
>
> + if (pkt_len < WLAN_HDR_A3_LEN)
> + goto authclnt_fail;
> +
> /* check A1 matches or not */
> if (memcmp(myid(&(padapter->eeprompriv)), get_da(pframe), ETH_ALEN))
> return _SUCCESS;
> @@ -869,6 +872,9 @@ unsigned int OnAuthClient(struct adapter *padapter, union recv_frame *precv_fram
>
> offset = (GetPrivacy(pframe)) ? 4 : 0;
>
> + if (pkt_len < WLAN_HDR_A3_LEN + offset + 6)
> + goto authclnt_fail;
> +
> seq = le16_to_cpu(*(__le16 *)((SIZE_PTR)pframe + WLAN_HDR_A3_LEN + offset + 2));
> status = le16_to_cpu(*(__le16 *)((SIZE_PTR)pframe + WLAN_HDR_A3_LEN + offset + 4));
>
> --
> 2.53.0
>
>
Hi,
This is the friendly patch-bot of Greg Kroah-Hartman. You have sent him
a patch that has triggered this response. He used to manually respond
to these common problems, but in order to save his sanity (he kept
writing the same thing over and over, yet to different people), I was
created. Hopefully you will not take offence and will fix the problem
in your patch and resubmit it so that it can be accepted into the Linux
kernel tree.
You are receiving this message because of the following common error(s)
as indicated below:
- This looks like a new version of a previously submitted patch, but you
did not list below the --- line any changes from the previous version.
Please read the section entitled "The canonical patch format" in the
kernel file, Documentation/process/submitting-patches.rst for what
needs to be done here to properly describe this.
If you wish to discuss this problem further, or you have questions about
how to resolve this issue, please feel free to respond to this email and
Greg will reply once he has dug out from the pending patches received
from other developers.
thanks,
greg k-h's patch email bot
^ permalink raw reply [flat|nested] 15+ messages in thread
* [PATCH v2] staging: rtl8723bs: fix missing frame length checks in OnAuthClient
@ 2026-04-14 21:39 Alexandru Hossu
2026-04-15 4:47 ` Luka Gejak
` (2 more replies)
0 siblings, 3 replies; 15+ messages in thread
From: Alexandru Hossu @ 2026-04-14 21:39 UTC (permalink / raw)
To: gregkh; +Cc: linux-staging, linux-kernel, error27, stable, Alexandru Hossu
OnAuthClient() accesses pframe without first verifying that pkt_len is
large enough to contain a valid 802.11 management frame header:
- get_da(pframe) reads bytes 4-9, requiring pkt_len >= 10
- GetPrivacy(pframe) reads the FC field at bytes 0-1
Additionally, when pkt_len < WLAN_HDR_A3_LEN + _AUTH_IE_OFFSET_ the
unsigned subtraction passed to rtw_get_ie() wraps around, causing it
to scan well past the end of the buffer.
Add an early check against WLAN_HDR_A3_LEN before any pframe access,
and a second check against WLAN_HDR_A3_LEN + offset + 6 after computing
offset to guard the seq/status reads and the rtw_get_ie() call.
Suggested-by: Dan Carpenter <error27@gmail.com>
Fixes: 554c0a3abf21 ("staging: Add rtl8723bs sdio wifi driver")
Cc: stable@vger.kernel.org
Signed-off-by: Alexandru Hossu <hossu.alexandru@gmail.com>
---
Changes in v2:
- Replace incorrect Reported-by tag with Suggested-by: Dan spotted the
missing length check during code review of the heap overflow fix; he
did not file a separate bug report
- Add missing version changelog (the initial submission was incorrectly
labeled v2; no v1 was ever sent to the list)
drivers/staging/rtl8723bs/core/rtw_mlme_ext.c | 6 ++++++
1 file changed, 6 insertions(+)
diff --git a/drivers/staging/rtl8723bs/core/rtw_mlme_ext.c b/drivers/staging/rtl8723bs/core/rtw_mlme_ext.c
index 90f27665667a..884cd39ec756 100644
--- a/drivers/staging/rtl8723bs/core/rtw_mlme_ext.c
+++ b/drivers/staging/rtl8723bs/core/rtw_mlme_ext.c
@@ -860,6 +860,9 @@ unsigned int OnAuthClient(struct adapter *padapter, union recv_frame *precv_fram
u8 *pframe = precv_frame->u.hdr.rx_data;
uint pkt_len = precv_frame->u.hdr.len;
+ if (pkt_len < WLAN_HDR_A3_LEN)
+ goto authclnt_fail;
+
/* check A1 matches or not */
if (memcmp(myid(&(padapter->eeprompriv)), get_da(pframe), ETH_ALEN))
return _SUCCESS;
@@ -869,6 +872,9 @@ unsigned int OnAuthClient(struct adapter *padapter, union recv_frame *precv_fram
offset = (GetPrivacy(pframe)) ? 4 : 0;
+ if (pkt_len < WLAN_HDR_A3_LEN + offset + 6)
+ goto authclnt_fail;
+
seq = le16_to_cpu(*(__le16 *)((SIZE_PTR)pframe + WLAN_HDR_A3_LEN + offset + 2));
status = le16_to_cpu(*(__le16 *)((SIZE_PTR)pframe + WLAN_HDR_A3_LEN + offset + 4));
--
2.53.0
^ permalink raw reply related [flat|nested] 15+ messages in thread
* Re: [PATCH v2] staging: rtl8723bs: fix missing frame length checks in OnAuthClient
2026-04-14 21:39 Alexandru Hossu
@ 2026-04-15 4:47 ` Luka Gejak
2026-04-15 4:56 ` Greg KH
2026-04-15 8:47 ` Dan Carpenter
2 siblings, 0 replies; 15+ messages in thread
From: Luka Gejak @ 2026-04-15 4:47 UTC (permalink / raw)
To: Alexandru Hossu, gregkh; +Cc: linux-staging, linux-kernel, error27, stable
On Tue Apr 14, 2026 at 11:39 PM CEST, Alexandru Hossu wrote:
> OnAuthClient() accesses pframe without first verifying that pkt_len is
> large enough to contain a valid 802.11 management frame header:
>
> - get_da(pframe) reads bytes 4-9, requiring pkt_len >= 10
> - GetPrivacy(pframe) reads the FC field at bytes 0-1
>
> Additionally, when pkt_len < WLAN_HDR_A3_LEN + _AUTH_IE_OFFSET_ the
> unsigned subtraction passed to rtw_get_ie() wraps around, causing it
> to scan well past the end of the buffer.
>
> Add an early check against WLAN_HDR_A3_LEN before any pframe access,
> and a second check against WLAN_HDR_A3_LEN + offset + 6 after computing
> offset to guard the seq/status reads and the rtw_get_ie() call.
>
> Suggested-by: Dan Carpenter <error27@gmail.com>
> Fixes: 554c0a3abf21 ("staging: Add rtl8723bs sdio wifi driver")
> Cc: stable@vger.kernel.org
> Signed-off-by: Alexandru Hossu <hossu.alexandru@gmail.com>
> ---
> Changes in v2:
> - Replace incorrect Reported-by tag with Suggested-by: Dan spotted the
> missing length check during code review of the heap overflow fix; he
> did not file a separate bug report
> - Add missing version changelog (the initial submission was incorrectly
> labeled v2; no v1 was ever sent to the list)
>
> drivers/staging/rtl8723bs/core/rtw_mlme_ext.c | 6 ++++++
> 1 file changed, 6 insertions(+)
>
> diff --git a/drivers/staging/rtl8723bs/core/rtw_mlme_ext.c b/drivers/staging/rtl8723bs/core/rtw_mlme_ext.c
> index 90f27665667a..884cd39ec756 100644
> --- a/drivers/staging/rtl8723bs/core/rtw_mlme_ext.c
> +++ b/drivers/staging/rtl8723bs/core/rtw_mlme_ext.c
> @@ -860,6 +860,9 @@ unsigned int OnAuthClient(struct adapter *padapter, union recv_frame *precv_fram
> u8 *pframe = precv_frame->u.hdr.rx_data;
> uint pkt_len = precv_frame->u.hdr.len;
>
> + if (pkt_len < WLAN_HDR_A3_LEN)
> + goto authclnt_fail;
> +
> /* check A1 matches or not */
> if (memcmp(myid(&(padapter->eeprompriv)), get_da(pframe), ETH_ALEN))
> return _SUCCESS;
> @@ -869,6 +872,9 @@ unsigned int OnAuthClient(struct adapter *padapter, union recv_frame *precv_fram
>
> offset = (GetPrivacy(pframe)) ? 4 : 0;
>
> + if (pkt_len < WLAN_HDR_A3_LEN + offset + 6)
> + goto authclnt_fail;
> +
> seq = le16_to_cpu(*(__le16 *)((SIZE_PTR)pframe + WLAN_HDR_A3_LEN + offset + 2));
> status = le16_to_cpu(*(__le16 *)((SIZE_PTR)pframe + WLAN_HDR_A3_LEN + offset + 4));
>
LGTM.
Reviewed-by: Luka Gejak <luka.gejak@linux.dev>
Best regards,
Luka Gejak
^ permalink raw reply [flat|nested] 15+ messages in thread
* Re: [PATCH v2] staging: rtl8723bs: fix missing frame length checks in OnAuthClient
2026-04-14 21:39 Alexandru Hossu
2026-04-15 4:47 ` Luka Gejak
@ 2026-04-15 4:56 ` Greg KH
2026-04-15 5:17 ` Luka Gejak
2026-04-15 5:18 ` Luka Gejak
2026-04-15 8:47 ` Dan Carpenter
2 siblings, 2 replies; 15+ messages in thread
From: Greg KH @ 2026-04-15 4:56 UTC (permalink / raw)
To: Alexandru Hossu; +Cc: linux-staging, linux-kernel, error27, stable
On Tue, Apr 14, 2026 at 11:39:59PM +0200, Alexandru Hossu wrote:
> OnAuthClient() accesses pframe without first verifying that pkt_len is
> large enough to contain a valid 802.11 management frame header:
>
> - get_da(pframe) reads bytes 4-9, requiring pkt_len >= 10
> - GetPrivacy(pframe) reads the FC field at bytes 0-1
>
> Additionally, when pkt_len < WLAN_HDR_A3_LEN + _AUTH_IE_OFFSET_ the
> unsigned subtraction passed to rtw_get_ie() wraps around, causing it
> to scan well past the end of the buffer.
>
> Add an early check against WLAN_HDR_A3_LEN before any pframe access,
> and a second check against WLAN_HDR_A3_LEN + offset + 6 after computing
> offset to guard the seq/status reads and the rtw_get_ie() call.
>
> Suggested-by: Dan Carpenter <error27@gmail.com>
> Fixes: 554c0a3abf21 ("staging: Add rtl8723bs sdio wifi driver")
> Cc: stable@vger.kernel.org
> Signed-off-by: Alexandru Hossu <hossu.alexandru@gmail.com>
> ---
> Changes in v2:
> - Replace incorrect Reported-by tag with Suggested-by: Dan spotted the
> missing length check during code review of the heap overflow fix; he
> did not file a separate bug report
> - Add missing version changelog (the initial submission was incorrectly
> labeled v2; no v1 was ever sent to the list)
So this is really v3?
And based on the thread, there was a v1, this one just replaced that.
If not, then I'm totally confused, please resend ALL pending patches for
this driver that you have as a patch series, properly versioned.
thanks,
greg k-h
^ permalink raw reply [flat|nested] 15+ messages in thread
* Re: [PATCH v2] staging: rtl8723bs: fix missing frame length checks in OnAuthClient
2026-04-15 4:56 ` Greg KH
@ 2026-04-15 5:17 ` Luka Gejak
2026-04-15 5:18 ` Luka Gejak
1 sibling, 0 replies; 15+ messages in thread
From: Luka Gejak @ 2026-04-15 5:17 UTC (permalink / raw)
To: Greg KH, Alexandru Hossu; +Cc: linux-staging, linux-kernel, error27, stable
On Wed Apr 15, 2026 at 6:56 AM CEST, Greg KH wrote:
> On Tue, Apr 14, 2026 at 11:39:59PM +0200, Alexandru Hossu wrote:
>> OnAuthClient() accesses pframe without first verifying that pkt_len is
>> large enough to contain a valid 802.11 management frame header:
>>
>> - get_da(pframe) reads bytes 4-9, requiring pkt_len >= 10
>> - GetPrivacy(pframe) reads the FC field at bytes 0-1
>>
>> Additionally, when pkt_len < WLAN_HDR_A3_LEN + _AUTH_IE_OFFSET_ the
>> unsigned subtraction passed to rtw_get_ie() wraps around, causing it
>> to scan well past the end of the buffer.
>>
>> Add an early check against WLAN_HDR_A3_LEN before any pframe access,
>> and a second check against WLAN_HDR_A3_LEN + offset + 6 after computing
>> offset to guard the seq/status reads and the rtw_get_ie() call.
>>
>> Suggested-by: Dan Carpenter <error27@gmail.com>
>> Fixes: 554c0a3abf21 ("staging: Add rtl8723bs sdio wifi driver")
>> Cc: stable@vger.kernel.org
>> Signed-off-by: Alexandru Hossu <hossu.alexandru@gmail.com>
>> ---
>> Changes in v2:
>> - Replace incorrect Reported-by tag with Suggested-by: Dan spotted the
>> missing length check during code review of the heap overflow fix; he
>> did not file a separate bug report
>> - Add missing version changelog (the initial submission was incorrectly
>> labeled v2; no v1 was ever sent to the list)
>
> So this is really v3?
>
...
This would actually be v4.
v1: [1]
v2: [2]
v3: [3]
v4: [4]
Best regards,
Luka Gejak
[1]: https://lore.kernel.org/linux-staging/20260413202824.740653-1-hossu.alexandru@gmail.com/
[2]: https://lore.kernel.org/linux-staging/20260414100804.871764-1-hossu.alexandru@gmail.com/
[3]: https://lore.kernel.org/linux-staging/20260414145350.903996-1-hossu.alexandru@gmail.com/
[4]: https://lore.kernel.org/linux-staging/20260414213959.1028301-1-hossu.alexandru@gmail.com/
^ permalink raw reply [flat|nested] 15+ messages in thread
* Re: [PATCH v2] staging: rtl8723bs: fix missing frame length checks in OnAuthClient
2026-04-15 4:56 ` Greg KH
2026-04-15 5:17 ` Luka Gejak
@ 2026-04-15 5:18 ` Luka Gejak
2026-04-15 5:22 ` Luka Gejak
1 sibling, 1 reply; 15+ messages in thread
From: Luka Gejak @ 2026-04-15 5:18 UTC (permalink / raw)
To: gregkh; +Cc: error27, hossu.alexandru, linux-kernel, linux-staging, stable
^ permalink raw reply [flat|nested] 15+ messages in thread
* Re: [PATCH v2] staging: rtl8723bs: fix missing frame length checks in OnAuthClient
2026-04-15 5:18 ` Luka Gejak
@ 2026-04-15 5:22 ` Luka Gejak
0 siblings, 0 replies; 15+ messages in thread
From: Luka Gejak @ 2026-04-15 5:22 UTC (permalink / raw)
To: Luka Gejak, gregkh
Cc: error27, hossu.alexandru, linux-kernel, linux-staging, stable
On Wed Apr 15, 2026 at 7:18 AM CEST, Luka Gejak wrote:
>
Ignore this email, aerc(my email client) is having quirks.
Best regards,
Luka Gejak
^ permalink raw reply [flat|nested] 15+ messages in thread
* Re: [PATCH v2] staging: rtl8723bs: fix missing frame length checks in OnAuthClient
2026-04-14 21:39 Alexandru Hossu
2026-04-15 4:47 ` Luka Gejak
2026-04-15 4:56 ` Greg KH
@ 2026-04-15 8:47 ` Dan Carpenter
2 siblings, 0 replies; 15+ messages in thread
From: Dan Carpenter @ 2026-04-15 8:47 UTC (permalink / raw)
To: Alexandru Hossu; +Cc: gregkh, linux-staging, linux-kernel, stable
On Tue, Apr 14, 2026 at 11:39:59PM +0200, Alexandru Hossu wrote:
> OnAuthClient() accesses pframe without first verifying that pkt_len is
> large enough to contain a valid 802.11 management frame header:
>
> - get_da(pframe) reads bytes 4-9, requiring pkt_len >= 10
> - GetPrivacy(pframe) reads the FC field at bytes 0-1
>
> Additionally, when pkt_len < WLAN_HDR_A3_LEN + _AUTH_IE_OFFSET_ the
> unsigned subtraction passed to rtw_get_ie() wraps around, causing it
> to scan well past the end of the buffer.
>
> Add an early check against WLAN_HDR_A3_LEN before any pframe access,
> and a second check against WLAN_HDR_A3_LEN + offset + 6 after computing
> offset to guard the seq/status reads and the rtw_get_ie() call.
>
> Suggested-by: Dan Carpenter <error27@gmail.com>
> Fixes: 554c0a3abf21 ("staging: Add rtl8723bs sdio wifi driver")
> Cc: stable@vger.kernel.org
> Signed-off-by: Alexandru Hossu <hossu.alexandru@gmail.com>
> ---
Looks good!
Reviewed-by: Dan Carpenter <error27@gmail.com>
regards,
dan carpenter
^ permalink raw reply [flat|nested] 15+ messages in thread
end of thread, other threads:[~2026-04-15 8:47 UTC | newest]
Thread overview: 15+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2026-04-13 20:28 [PATCH] staging: rtl8723bs: fix heap overflow in OnAuthClient shared key path Alexandru Hossu
2026-04-14 6:19 ` Dan Carpenter
2026-04-14 6:22 ` Alexandru Hossu
2026-04-14 10:08 ` [PATCH] staging: rtl8723bs: fix frame length underflow in OnAuthClient Alexandru Hossu
2026-04-14 12:48 ` Dan Carpenter
2026-04-14 14:28 ` Alexandru Hossu
2026-04-14 14:53 ` [PATCH v2] staging: rtl8723bs: fix missing frame length checks " Alexandru Hossu
2026-04-14 17:08 ` Greg KH
-- strict thread matches above, loose matches on Subject: below --
2026-04-14 21:39 Alexandru Hossu
2026-04-15 4:47 ` Luka Gejak
2026-04-15 4:56 ` Greg KH
2026-04-15 5:17 ` Luka Gejak
2026-04-15 5:18 ` Luka Gejak
2026-04-15 5:22 ` Luka Gejak
2026-04-15 8:47 ` Dan Carpenter
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox