From mboxrd@z Thu Jan 1 00:00:00 1970 Received: from out-172.mta0.migadu.com (out-172.mta0.migadu.com [91.218.175.172]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id 941A631A555 for ; Wed, 15 Apr 2026 04:47:55 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=91.218.175.172 ARC-Seal:i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1776228478; cv=none; b=sSLUaxtX3+HwB07lv9qM+fTSH1UWC9PhKIRjjKIssY+JmCMzWNZlTLcBmNR3zdJJFnky/91JWKDSHOPjksnRozG3JxYvtHR0y+zQYJpBGBcKy/sqlTqcR9tnnAE1zLM6abcHIJxv5QNLs7SvEkvTYylRMEwdKk6C4ETF1ltnHp0= ARC-Message-Signature:i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1776228478; c=relaxed/simple; bh=V4tWRgfrZHqFRIp8Iloxse17iPng/gnEL8wg0RiELes=; h=Mime-Version:Content-Type:Date:Message-Id:Subject:From:To:Cc: References:In-Reply-To; b=jul0GoH269HEun7B8tMC4YxmG4SVG/MJNH9Uq7tSCvWh0HFDmf3XElx807dsaR4RiMjtZhTqcqoUFjd4hKuXPEVeUxeCUlQNGtsFWl68LGYFgzPTAEHpb4+unCARZqa0oFhpZPSZU06u+xqd/ZNIx2tCwNHkpRpCxqYPnvZvhEU= ARC-Authentication-Results:i=1; smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=linux.dev; spf=pass smtp.mailfrom=linux.dev; dkim=pass (1024-bit key) header.d=linux.dev header.i=@linux.dev header.b=DV5ve2dW; arc=none smtp.client-ip=91.218.175.172 Authentication-Results: smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=linux.dev Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=linux.dev Authentication-Results: smtp.subspace.kernel.org; dkim=pass (1024-bit key) header.d=linux.dev header.i=@linux.dev header.b="DV5ve2dW" Precedence: bulk X-Mailing-List: linux-kernel@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: Mime-Version: 1.0 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=linux.dev; s=key1; t=1776228463; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references; bh=cr4IcaatDSq2o82btypoJMqcFwPBKgoNsLuXtTkdZ1M=; b=DV5ve2dWahbmepJavofCzLXOiUSwlEZidf/R2s7+wgflEKOfJ/nK9Il6BFzhCm+MgZMpqa zeb8wWZi+RTbsShSgLiyIgzfB2S9sSD++ogWD5RNU8ngCN404ejb+yXk74CtVNesa3NMQC k1Eq7/a1krkfSEC981mNLf82d2BV3EE= Content-Transfer-Encoding: quoted-printable Content-Type: text/plain; charset=UTF-8 Date: Wed, 15 Apr 2026 06:47:35 +0200 Message-Id: Subject: Re: [PATCH v2] staging: rtl8723bs: fix missing frame length checks in OnAuthClient X-Report-Abuse: Please report any abuse attempt to abuse@migadu.com and include these headers. From: "Luka Gejak" To: "Alexandru Hossu" , Cc: , , , References: <20260414213959.1028301-1-hossu.alexandru@gmail.com> In-Reply-To: <20260414213959.1028301-1-hossu.alexandru@gmail.com> X-Migadu-Flow: FLOW_OUT On Tue Apr 14, 2026 at 11:39 PM CEST, Alexandru Hossu wrote: > OnAuthClient() accesses pframe without first verifying that pkt_len is > large enough to contain a valid 802.11 management frame header: > > - get_da(pframe) reads bytes 4-9, requiring pkt_len >=3D 10 > - GetPrivacy(pframe) reads the FC field at bytes 0-1 > > Additionally, when pkt_len < WLAN_HDR_A3_LEN + _AUTH_IE_OFFSET_ the > unsigned subtraction passed to rtw_get_ie() wraps around, causing it > to scan well past the end of the buffer. > > Add an early check against WLAN_HDR_A3_LEN before any pframe access, > and a second check against WLAN_HDR_A3_LEN + offset + 6 after computing > offset to guard the seq/status reads and the rtw_get_ie() call. > > Suggested-by: Dan Carpenter > Fixes: 554c0a3abf21 ("staging: Add rtl8723bs sdio wifi driver") > Cc: stable@vger.kernel.org > Signed-off-by: Alexandru Hossu > --- > Changes in v2: > - Replace incorrect Reported-by tag with Suggested-by: Dan spotted the > missing length check during code review of the heap overflow fix; he > did not file a separate bug report > - Add missing version changelog (the initial submission was incorrectly > labeled v2; no v1 was ever sent to the list) > > drivers/staging/rtl8723bs/core/rtw_mlme_ext.c | 6 ++++++ > 1 file changed, 6 insertions(+) > > diff --git a/drivers/staging/rtl8723bs/core/rtw_mlme_ext.c b/drivers/stag= ing/rtl8723bs/core/rtw_mlme_ext.c > index 90f27665667a..884cd39ec756 100644 > --- a/drivers/staging/rtl8723bs/core/rtw_mlme_ext.c > +++ b/drivers/staging/rtl8723bs/core/rtw_mlme_ext.c > @@ -860,6 +860,9 @@ unsigned int OnAuthClient(struct adapter *padapter, u= nion recv_frame *precv_fram > u8 *pframe =3D precv_frame->u.hdr.rx_data; > uint pkt_len =3D precv_frame->u.hdr.len; > =20 > + if (pkt_len < WLAN_HDR_A3_LEN) > + goto authclnt_fail; > + > /* check A1 matches or not */ > if (memcmp(myid(&(padapter->eeprompriv)), get_da(pframe), ETH_ALEN)) > return _SUCCESS; > @@ -869,6 +872,9 @@ unsigned int OnAuthClient(struct adapter *padapter, u= nion recv_frame *precv_fram > =20 > offset =3D (GetPrivacy(pframe)) ? 4 : 0; > =20 > + if (pkt_len < WLAN_HDR_A3_LEN + offset + 6) > + goto authclnt_fail; > + > seq =3D le16_to_cpu(*(__le16 *)((SIZE_PTR)pframe + WLAN_HDR_A3_LEN + of= fset + 2)); > status =3D le16_to_cpu(*(__le16 *)((SIZE_PTR)pframe + WLAN_HDR_A3_LEN += offset + 4)); > =20 LGTM. Reviewed-by: Luka Gejak Best regards, Luka Gejak