From mboxrd@z Thu Jan 1 00:00:00 1970 Received: from mail-ua1-f50.google.com (mail-ua1-f50.google.com [209.85.222.50]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id 5BE3734DCC7 for ; Fri, 17 Apr 2026 06:12:14 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=209.85.222.50 ARC-Seal:i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1776406335; cv=none; b=lbEMhwOAXb32ho8lh5gka1piVHdxw2t3+q67jEYm1gBfM+6osuUNf0O8kDj2bo3oLVh+jpkNzUWJzVQ/+PbpFLznlfd/DQCJpMn+Z1MvCaZ279VzPcPASRJM2CsyzXrlGD5p2Rno/iM3HTdz6oQjRFfjLGtYMAfPoJ2jeb+A/E4= ARC-Message-Signature:i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1776406335; c=relaxed/simple; bh=hAE7G4N9Ya6db2lFHzOOzat8Ysmrwdz8cUZo69vB634=; h=From:To:Cc:Subject:Date:Message-ID:In-Reply-To:References: MIME-Version; b=NhnUMMqcLYx8Je73xdHMN8wSkjJx3zlNFG4m0WNn9yEXfH/HS/es9vmiaawH2Gl5tBRUynMgrM8WkYpn6InIdb9EgtpYp8H0XE3UleBCJ2LQoGse7uYTYnP8vG6EHVYok+20ud/OJSqrJLYIJnXODYleXYSMZYV9FTQyl5lW0mo= ARC-Authentication-Results:i=1; smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=gmail.com; spf=pass smtp.mailfrom=gmail.com; dkim=pass (2048-bit key) header.d=gmail.com header.i=@gmail.com header.b=kZTNTFWV; arc=none smtp.client-ip=209.85.222.50 Authentication-Results: smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=gmail.com Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=gmail.com Authentication-Results: smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=gmail.com header.i=@gmail.com header.b="kZTNTFWV" Received: by mail-ua1-f50.google.com with SMTP id a1e0cc1a2514c-9568159ee07so203968241.1 for ; Thu, 16 Apr 2026 23:12:14 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20251104; t=1776406333; x=1777011133; darn=vger.kernel.org; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:from:to:cc:subject:date :message-id:reply-to; bh=es+n8UsduHXyp24gV37gSZyOHkapEOeq0C7l32e5LWs=; b=kZTNTFWVztvzet7cddAq6qOiKKMUuTdsqhxHZuRT1iB0a6t4ZSUDN+s+5A8rXJB9oM efMYmj8kEGAEH1wMlXmSK2KYiCtkIxdfKiGKljCeYd50b8Y3NJl/ltlrTD2mlW956IB4 1qDGbM4S1JmLP29dz6dDmRDKTPrUHsGbRACFeKtsNMDP/gwsN2Cvvvev4n0V5tjjAnHd DbpZA1MVLIvxb7ZYX1yp61CH9EyDolUZRHkQGbLGG/oQ7ET0ysYMIHA1lkZsGUwJra0p y0bViC1jS1NBk0+rR59bef7I654tknYS51i0xji5C2hEwOto9qGRLop7hm3rv7Sk0qx+ PzKw== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20251104; t=1776406333; x=1777011133; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:x-gm-gg:x-gm-message-state:from :to:cc:subject:date:message-id:reply-to; bh=es+n8UsduHXyp24gV37gSZyOHkapEOeq0C7l32e5LWs=; b=Yz6hEBpfzrLbm7OBG9TgXm1DV4Z9hKj0oVjB5dXHwQaBJnv/fpK6DP2VOjakOiKY9c TlfYQQAT1XA3V5N3yveoWW7bGyBnVnONCCaOROfycz9Doh0yWfYezpW1uqYkhy+fXztw bYjjB7ocVGZxjawZAqAXBn3O1jIeTWrnt3orbGXuJFvSIKabOHIGpBK5qLItjov+eEfJ Gumbt84wKH5lgCQF0yH9NcqvcQ7Yc71MxvbkIV32hzPY/e+tf8UNX/TibLE/EM+9gwhx sq5U/OpsEXd5FyLYb9jts+iQltMwiDX5UbqHLin6sNOuUyOKHXXOMJD3a8Z4FFTzsFkL 5K7A== X-Forwarded-Encrypted: i=1; AFNElJ8u7tpxVwLwiC15uIcOvtXUwrj49VyR1JhZ9MClmuvIego2KzNzjmgSX5l9PvG1mQAOrNRCxpLDU0oN7+s=@vger.kernel.org X-Gm-Message-State: AOJu0Ywf5zHq57Zw7EAtWr1W+HnyCDmMp8tOkk0Rr1B30Js8sRsaAk1M AgNJVHjmP2ky3m2p/L9MHZGRpL1KUy9B+ngijCuQEJ94zR08ReCvp3QF X-Gm-Gg: AeBDiev/zm8DAFMZYJGzZ+1WouvaN8Wmx7Sn0gBF6aNA0ZyrhV7tOK3Zl8/0u2jwdZa pz0Xoh6w2gZ4QUWWgHRN6Dvjig7bD/RJxWb9EekZuJEs/vP15GZPJX0Gux4y+bNyAfTMiFT5vLl E/gauNk0fYouGzjf37alolWIn7F8QLdm+TI45lPdJ8HCIBRMydSV2R/ROi0hkyfDEsmuSh2mOE2 Q6pXPdkUNHAPuxWcOvtdM1Q1UfMZR3A7SkGtO0j9TmGCGoXnuLWjEeVMqMMTbnq2gp/l2qKyZmG 1FgHih7fKZibQUzaj1JJwJPFRKM3HVsKdqoaRZJp/ysv/iEzJmFWvUCTaNQy8um+PJO/r4tEA/0 WPR9NBxm1LDk+ekQ95hkvw8nNwkhPXk1A7q9EQHHrq3Z1BEitqZLiBXBnk305hIA5aOgSayMwgf 94vbPNJPa0QOAmr5SAsgzKkTw3G8MnExXEqmPuyiKzTKmoFk70YVzk X-Received: by 2002:a05:6102:6cd:b0:607:5cd7:cbbe with SMTP id ada2fe7eead31-616f58a6866mr649466137.13.1776406333287; Thu, 16 Apr 2026 23:12:13 -0700 (PDT) Received: from localhost.localdomain ([102.244.98.124]) by smtp.gmail.com with ESMTPSA id a1e0cc1a2514c-9589093a8bbsm297947241.3.2026.04.16.23.12.07 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Thu, 16 Apr 2026 23:12:12 -0700 (PDT) From: Delene Tchio Romuald To: gregkh@linuxfoundation.org Cc: error27@gmail.com, luka.gejak@linux.dev, hansg@kernel.org, linux-staging@lists.linux.dev, linux-kernel@vger.kernel.org, stable@vger.kernel.org, Delene Tchio Romuald Subject: [PATCH v6 1/5] staging: rtl8723bs: fix heap buffer overflow in recvframe_defrag() Date: Fri, 17 Apr 2026 07:10:44 +0100 Message-ID: <20260417061048.62484-2-delenetchior1@gmail.com> X-Mailer: git-send-email 2.43.0 In-Reply-To: <20260417061048.62484-1-delenetchior1@gmail.com> References: <20260417061048.62484-1-delenetchior1@gmail.com> Precedence: bulk X-Mailing-List: linux-kernel@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 Content-Transfer-Encoding: 8bit In recvframe_defrag(), a memcpy() copies fragment data into the reassembly buffer before validating that the buffer has sufficient space. If the total reassembled payload exceeds the receive buffer capacity, this results in a heap buffer overflow. Additionally, the return values of recvframe_pull() and recvframe_pull_tail() were ignored. On failure those helpers revert their pointer updates and return NULL; continuing past such a failure would leave pfhdr->rx_tail at its pre-strip value, so the subsequent bounds check against rx_end - rx_tail would operate on stale pointers. An attacker within WiFi radio range can exploit this by sending crafted 802.11 fragmented frames. No authentication is required. Check the return values of recvframe_pull() and recvframe_pull_tail(), then verify that the fragment payload fits within the remaining buffer space before the memcpy(). Consolidate the five cleanup paths through a single out_err label. Found by reviewing memory operations in the driver and tracing buffer pointer manipulation through rtw_recv.h inline helpers. Not tested on hardware. Fixes: 554c0a3abf216 ("staging: Add rtl8723bs sdio wifi driver") Cc: stable@vger.kernel.org Signed-off-by: Delene Tchio Romuald --- v6: restore the '/* memcpy */' comment that v5 had removed as drive-by cleanup (Dan Carpenter). v5: collapse the identical cleanup sites into a single out_err label (Dan Carpenter). v4: check return values of recvframe_pull() and recvframe_pull_tail(); drop unnecessary (uint) cast; add Fixes: tag and Cc: stable (Dan Carpenter). v3: rebased on staging-next; sent as numbered series with proper Cc from get_maintainer.pl. v2: rebased on staging-next (v1 was based on v7.0-rc6 and did not apply). drivers/staging/rtl8723bs/core/rtw_recv.c | 36 ++++++++++++----------- 1 file changed, 19 insertions(+), 17 deletions(-) diff --git a/drivers/staging/rtl8723bs/core/rtw_recv.c b/drivers/staging/rtl8723bs/core/rtw_recv.c index f78194d508dfc..8d5d9a6dc4db0 100644 --- a/drivers/staging/rtl8723bs/core/rtw_recv.c +++ b/drivers/staging/rtl8723bs/core/rtw_recv.c @@ -1090,14 +1090,9 @@ static union recv_frame *recvframe_defrag(struct adapter *adapter, pfhdr = &prframe->u.hdr; list_del_init(&(prframe->u.list)); - if (curfragnum != pfhdr->attrib.frag_num) { - /* the first fragment number must be 0 */ - /* free the whole queue */ - rtw_free_recvframe(prframe, pfree_recv_queue); - rtw_free_recvframe_queue(defrag_q, pfree_recv_queue); - - return NULL; - } + /* the first fragment number must be 0 */ + if (curfragnum != pfhdr->attrib.frag_num) + goto out_err; curfragnum++; @@ -1112,13 +1107,9 @@ static union recv_frame *recvframe_defrag(struct adapter *adapter, /* check the fragment sequence (2nd ~n fragment frame) */ - if (curfragnum != pnfhdr->attrib.frag_num) { - /* the fragment number must be increasing (after decache) */ - /* release the defrag_q & prframe */ - rtw_free_recvframe(prframe, pfree_recv_queue); - rtw_free_recvframe_queue(defrag_q, pfree_recv_queue); - return NULL; - } + /* the fragment number must be increasing (after decache) */ + if (curfragnum != pnfhdr->attrib.frag_num) + goto out_err; curfragnum++; @@ -1127,10 +1118,16 @@ static union recv_frame *recvframe_defrag(struct adapter *adapter, wlanhdr_offset = pnfhdr->attrib.hdrlen + pnfhdr->attrib.iv_len; - recvframe_pull(pnextrframe, wlanhdr_offset); + if (!recvframe_pull(pnextrframe, wlanhdr_offset)) + goto out_err; /* append to first fragment frame's tail (if privacy frame, pull the ICV) */ - recvframe_pull_tail(prframe, pfhdr->attrib.icv_len); + if (!recvframe_pull_tail(prframe, pfhdr->attrib.icv_len)) + goto out_err; + + /* Verify the receiving buffer has enough space for the fragment */ + if (pnfhdr->len > pfhdr->rx_end - pfhdr->rx_tail) + goto out_err; /* memcpy */ memcpy(pfhdr->rx_tail, pnfhdr->rx_data, pnfhdr->len); @@ -1146,6 +1143,11 @@ static union recv_frame *recvframe_defrag(struct adapter *adapter, rtw_free_recvframe_queue(defrag_q, pfree_recv_queue); return prframe; + +out_err: + rtw_free_recvframe(prframe, pfree_recv_queue); + rtw_free_recvframe_queue(defrag_q, pfree_recv_queue); + return NULL; } /* check if need to defrag, if needed queue the frame to defrag_q */ -- 2.43.0