From mboxrd@z Thu Jan  1 00:00:00 1970
Received: from mail-vk1-f173.google.com (mail-vk1-f173.google.com [209.85.221.173])
	(using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits))
	(No client certificate requested)
	by smtp.subspace.kernel.org (Postfix) with ESMTPS id 241D923370F
	for <linux-kernel@vger.kernel.org>; Wed, 15 Apr 2026 18:55:30 +0000 (UTC)
Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=209.85.221.173
ARC-Seal:i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116;
	t=1776279331; cv=none; b=Fp2vkxbb7jR02MjzrhMocskG2q0wMv1LkELIAF3u28d0/AF/rX8k1FiKDuN5V6AIqbJ0TcXTYDXaUPwV+I49lzpO2G4rtXzpLy65OlqjR5ApxEjuc5+Am7S4bkjRxYLgWGCPkoVoqkYbxQeUp6sGeV0exiF/ep+c93QZPUw8GLE=
ARC-Message-Signature:i=1; a=rsa-sha256; d=subspace.kernel.org;
	s=arc-20240116; t=1776279331; c=relaxed/simple;
	bh=CRgVnOUGI0q7Ct790HwLPHGc1VsZ9A/1dQk17MZfoXI=;
	h=From:To:Cc:Subject:Date:Message-ID:MIME-Version; b=kPopAHo/7ld7qBpKi1SkbL/hbK3OwpXKMEwNLBGkOrWJT399vjhF3wn9Au486fswXqCcc2Hgqkw8iGPXPci0aR9caqrc39kaO1BrDQa7k74yDEZvafYKY+WyvWroecjpP5Msl8cnIZkGllUNGqIyPZ/Lo9rYW62yroj0qL46Yso=
ARC-Authentication-Results:i=1; smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=gmail.com; spf=pass smtp.mailfrom=gmail.com; dkim=pass (2048-bit key) header.d=gmail.com header.i=@gmail.com header.b=DXOn2vK5; arc=none smtp.client-ip=209.85.221.173
Authentication-Results: smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=gmail.com
Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=gmail.com
Authentication-Results: smtp.subspace.kernel.org;
	dkim=pass (2048-bit key) header.d=gmail.com header.i=@gmail.com header.b="DXOn2vK5"
Received: by mail-vk1-f173.google.com with SMTP id 71dfb90a1353d-56a9c5cb48bso2609620e0c.0
        for <linux-kernel@vger.kernel.org>; Wed, 15 Apr 2026 11:55:29 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=gmail.com; s=20251104; t=1776279329; x=1776884129; darn=vger.kernel.org;
        h=content-transfer-encoding:mime-version:message-id:date:subject:cc
         :to:from:from:to:cc:subject:date:message-id:reply-to;
        bh=HDeo3f8CvooXNOU/9jKD56jXgK68+sHfUc7ysM/Ab5g=;
        b=DXOn2vK5mhgjLvKlobouyRIP+kyA0M5PGP3v+vYZjn9p9tL3n4ow0XQx8VQlGeC3/Q
         IelPzAA/tpbcPqjQWGIbK8GXgtnPMbLaomKqKwDqRG19dzg0ezYM5Xh0nDCfx+tIvceZ
         vLTdhkVK8abUJgutZ+wpiMQUjOAUZ/BcIEnPu7D6b21QJ3NiRbVHe/lGENV1dv0CFz8I
         34zpDZu1JC0nFTdQAk0CQ5T39r2LQP7mYRFXkwUu/Gst9GAnIi/AOWyIcAyU5MWZ80rM
         acGiSi7tU5g8sWF1FViTDIUjpxdBGQ9yNnEXYK4RwOontQPN4F7pywi4quWQ52UgHk+d
         aLMQ==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=1e100.net; s=20251104; t=1776279329; x=1776884129;
        h=content-transfer-encoding:mime-version:message-id:date:subject:cc
         :to:from:x-gm-gg:x-gm-message-state:from:to:cc:subject:date
         :message-id:reply-to;
        bh=HDeo3f8CvooXNOU/9jKD56jXgK68+sHfUc7ysM/Ab5g=;
        b=dX5P53llvo6PyoCABHrlKDnx4qlcT31nJSdbBR6FGHRXA7RkNbAaeIPrW3VXG166KA
         TIEaV+QdEQtVH+IyGVCo4jhYkDn70mQpiqdHSi61TZqp5m3UhYGTtP94duaaRo2QuqBD
         VWOlkMdn8japd3byGOlZhXA0ZDZ091CzzRfkT8zE+I0inlQk++GkTyPx7G8NeMlzZPDO
         lPKue/QDCGMPMjHwb/1hgqR6Jst7bOJwZWvRtV9QRFfcpTNR/5zOyJ0PZbV/A/ovK9q7
         7JBj9KyhMPxatYCaLo+LdtaXgFVqVMw/UmGufWBIL4pc4L577rUOnlKqt8zNIvoxt/VV
         fq8Q==
X-Forwarded-Encrypted: i=1; AFNElJ8CrZMwCYBGUpe1cLVM3GSe220bOCr3uXV0Lf3iPOouEfevZJid2a4rqCiRwlohdi6gfNytjlAa2ei05qU=@vger.kernel.org
X-Gm-Message-State: AOJu0YyaO9n3rfnT72KuTYc/VgXU0CfW+kziARecn7VHBqfxpFl0giG9
	bi9h4LB6Hrqkd10HYtEE9v1zTodB7quBZDRRSc2pVMHS2dCNscGZS1VR
X-Gm-Gg: AeBDievkoFbNiOcOfq+1Dz8otLO/C3ReHzfW7DmVZBNTbsrPIzHpRBiYRBNbtLSaNV6
	pDmPDbQRYj3q8izwrCQRSQmsFotgL7fOgAgaiP7/fCtQdC+oC9gbz+QMwsVOqXYAXfvf+HzpfMc
	Nq7Saa/o8bSTRlOOiH1QRK5lwjhVFSA7/x67YdqK1NzR1KonGynq/vkqW2KM9svkrfxsHGpXMdX
	rAYZmxZi5SGFfF6M7omp/DmSBIgDFzyvWJX3l/8UysOWQfTglzjLLDIAM3RRByTTDFgCFlab1uN
	z6dbwp1y6aDR++D8+A79MvKzV/s1UieuTX5B8wZTsOJzc0RkUS93EG3PsH65nB76Q46ObDRDzJj
	4ZVkQM8iafiszluUtoKhwdFe8L4AQZL8t6CWT8C7AGKkpSL0MgsIkA7IIT3/G0z48fUVWrGcr7e
	Ihx3w1qN7l4n4iElaDcpG62dWlNJXQGEhhKjbAhc+OlNUlOjcFI0po
X-Received: by 2002:a05:6122:1796:b0:56f:31e3:9445 with SMTP id 71dfb90a1353d-56f3b9e4996mr10565205e0c.0.1776279329111;
        Wed, 15 Apr 2026 11:55:29 -0700 (PDT)
Received: from localhost.localdomain ([102.244.98.233])
        by smtp.gmail.com with ESMTPSA id 71dfb90a1353d-56f89feb56esm1647484e0c.15.2026.04.15.11.55.24
        (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256);
        Wed, 15 Apr 2026 11:55:28 -0700 (PDT)
From: Delene Tchio Romuald <delenetchior1@gmail.com>
To: gregkh@linuxfoundation.org
Cc: dan.carpenter@linaro.org,
	error27@gmail.com,
	luka.gejak@linux.dev,
	hansg@kernel.org,
	linux-staging@lists.linux.dev,
	linux-kernel@vger.kernel.org,
	stable@vger.kernel.org,
	Delene Tchio Romuald <delenetchior1@gmail.com>
Subject: [PATCH v4 0/5] staging: rtl8723bs: fix multiple security vulnerabilities
Date: Wed, 15 Apr 2026 19:54:56 +0100
Message-ID: <20260415185501.440492-1-delenetchior1@gmail.com>
X-Mailer: git-send-email 2.43.0
Precedence: bulk
X-Mailing-List: linux-kernel@vger.kernel.org
List-Id: <linux-kernel.vger.kernel.org>
List-Subscribe: <mailto:linux-kernel+subscribe@vger.kernel.org>
List-Unsubscribe: <mailto:linux-kernel+unsubscribe@vger.kernel.org>
MIME-Version: 1.0
Content-Transfer-Encoding: 8bit

This series fixes five remotely-triggerable memory safety issues in
the rtl8723bs driver. All of them are reachable from the air by an
attacker within WiFi radio range, without authentication, via
crafted management or data frames:

  1. Heap buffer overflow in recvframe_defrag() when reassembling
     fragmented frames whose total payload exceeds the receive
     buffer capacity.
  2. Integer underflow in TKIP MIC verification when a frame is
     shorter than the sum of header, IV, ICV and MIC sizes.
  3. Out-of-bounds read in portctrl() when a non-EAPOL frame is
     shorter than the 802.11 header + IV + LLC + ether_type.
  4. Out-of-bounds reads in three IE walkers (rtw_get_wapi_ie(),
     rtw_get_sec_ie(), rtw_get_wps_ie()) due to missing validation
     of the TLV length byte.
  5. Integer underflow in rtw_wep_decrypt() when a WEP frame is
     shorter than the header + IV.

Each patch was found by code review and is not tested on hardware.

Changes since v3:
 - Patch 1/5 (recvframe_defrag): check the return values of
   recvframe_pull() and recvframe_pull_tail(); on failure those
   helpers revert their pointer updates and return NULL, so the
   subsequent rx_end - rx_tail bounds check must not run on stale
   pointers (Dan Carpenter).
 - Patch 1/5: drop the unnecessary (uint) cast in the bounds
   check (Dan Carpenter).
 - All patches: add Fixes: tag pointing at the driver import and
   add the stable backport tag, per Dan Carpenter's request.
 - Patches 2-5: carry Reviewed-by: Luka Gejak. Patch 1/5 lost
   Luka's tag because the code changed.

Changes since v2:
 - Sent as numbered series with cover letter.
 - Cc list regenerated from scripts/get_maintainer.pl.

Changes since v1:
 - Rebased on staging-next (v1 was based on v7.0-rc6 and did not
   apply).

Delene Tchio Romuald (5):
  staging: rtl8723bs: fix heap buffer overflow in recvframe_defrag()
  staging: rtl8723bs: fix integer underflow in TKIP MIC verification
  staging: rtl8723bs: fix out-of-bounds read in portctrl()
  staging: rtl8723bs: fix out-of-bounds reads in IE parsing functions
  staging: rtl8723bs: fix negative length in WEP decryption

 .../staging/rtl8723bs/core/rtw_ieee80211.c    | 15 ++++-
 drivers/staging/rtl8723bs/core/rtw_recv.c     | 55 ++++++++++++++-----
 drivers/staging/rtl8723bs/core/rtw_security.c |  6 ++
 3 files changed, 60 insertions(+), 16 deletions(-)


base-commit: bf9c95f3eeefb7fc4b4a6380cc23f1dca744e379
--
2.43.0