From: Luka Gejak <luka.gejak@linux.dev>
To: Greg KH <gregkh@linuxfoundation.org>, Feng Ning <feng@innora.ai>
Cc: linux-staging@lists.linux.dev, linux-kernel@vger.kernel.org,
stable@vger.kernel.org, luka.gejak@linux.dev
Subject: Re: [PATCH v6] staging: rtl8723bs: fix heap buffer overflow in cfg80211_rtw_add_key()
Date: Mon, 04 May 2026 18:48:21 +0200 [thread overview]
Message-ID: <5035183D-9CC0-4D2F-90CA-3AA2B5AC480A@linux.dev> (raw)
In-Reply-To: <2026050417-monkhood-backless-4c3e@gregkh>
On May 4, 2026 4:12:44 PM GMT+02:00, Greg KH <gregkh@linuxfoundation.org> wrote:
>On Mon, Apr 27, 2026 at 11:17:45AM +0000, Feng Ning wrote:
>> The cfg80211 framework allows userspace to specify a key sequence
>> counter (NL80211_KEY_SEQ) of up to 16 bytes via NL80211_CMD_NEW_KEY
>> netlink messages, but ieee_param.crypt.seq is a fixed 8-byte buffer.
>> When cfg80211_rtw_add_key() copies the sequence counter via memcpy()
>> without checking seq_len, a heap buffer overflow of up to 8 bytes
>> occurs, overwriting bytes following seq within the same ieee_param
>> structure (key_len and the trailing key[] flexible array).
>>
>> Cap the copy length at the buffer size using min_t().
>>
>> Reviewed-by: Luka Gejak <luka.gejak@linux.dev>
>> Fixes: 554c0a3abf21 ("staging: Add rtl8723bs sdio wifi driver")
>> Cc: stable@vger.kernel.org
>> Signed-off-by: Feng Ning <feng@innora.ai>
>> ---
>
>What about these review comments:
> https://sashiko.dev/#/patchset/20260427111738.33069-1-feng@innora.ai
>
>Are they incorrect?
>
>And was this tested on real hardware?
>
>thanks,
>
>greg k-h
Hi Greg,
Is it better to let the driver attempt to function with a truncated
key sequence (via min_t), or should we explicitly reject the request
with -EINVAL to ensure we aren't installing a technically "broken" key
configuration? Which approach is more aligned with your preferences?
Best regards,
Luka Gejak
prev parent reply other threads:[~2026-05-04 16:48 UTC|newest]
Thread overview: 8+ messages / expand[flat|nested] mbox.gz Atom feed top
[not found] <20260413113224.5201-1-feng@innora.ai>
[not found] ` <2026042626-tabloid-suitor-33c5@gregkh>
2026-04-27 11:17 ` [PATCH v6] staging: rtl8723bs: fix heap buffer overflow in cfg80211_rtw_add_key() Feng Ning
2026-05-04 14:12 ` Greg KH
2026-05-04 15:48 ` Feng Ning
2026-05-04 16:03 ` Greg KH
2026-05-04 16:38 ` Feng Ning
2026-05-04 17:01 ` Greg KH
2026-05-05 20:04 ` Luka Gejak
2026-05-04 16:48 ` Luka Gejak [this message]
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=5035183D-9CC0-4D2F-90CA-3AA2B5AC480A@linux.dev \
--to=luka.gejak@linux.dev \
--cc=feng@innora.ai \
--cc=gregkh@linuxfoundation.org \
--cc=linux-kernel@vger.kernel.org \
--cc=linux-staging@lists.linux.dev \
--cc=stable@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox