[PATCH v6 1/2] staging: rtl8723bs: fix heap overflow in OnAuthClient shared key path

public inbox for linux-kernel@vger.kernel.org
 help / color / mirror / Atom feed

* [PATCH v6 1/2] staging: rtl8723bs: fix heap overflow in OnAuthClient shared key path
@ 2026-04-15  9:45 Alexandru Hossu
  2026-04-15  9:45 ` [PATCH v6 2/2] staging: rtl8723bs: fix missing frame length checks in OnAuthClient Alexandru Hossu
  2026-04-15 11:09 ` [PATCH v6 1/2] staging: rtl8723bs: fix heap overflow in OnAuthClient shared key path Luka Gejak
  0 siblings, 2 replies; 3+ messages in thread
From: Alexandru Hossu @ 2026-04-15  9:45 UTC (permalink / raw)
  To: gregkh
  Cc: linux-staging, linux-kernel, error27, stable, luka.gejak, hansg,
	Alexandru Hossu

rtw_get_ie() returns the raw IE length from the received frame, which
can be up to 255. This length is used directly in memcpy() into
chg_txt[128] with no bounds check, allowing a heap overflow of up to
127 bytes when a rogue AP sends an Auth seq=2 frame with a Challenge
Text IE longer than 128 bytes.

IEEE 802.11 mandates the Challenge Text element carries exactly 128
bytes of challenge data. Reject any element whose length field does not
match sizeof(pmlmeinfo->chg_txt) (128).

Fixes: 554c0a3abf21 ("staging: Add rtl8723bs sdio wifi driver")
Cc: stable@vger.kernel.org
Cc: hansg@kernel.org
Reviewed-by: Dan Carpenter <error27@gmail.com>
Signed-off-by: Alexandru Hossu <hossu.alexandru@gmail.com>
---
Apologies for the version numbering confusion across previous iterations.

Changes in v6:
- Add hansg@kernel.org to Cc (original driver author; accidentally
  omitted from the v5 series)
- Patch content unchanged from initial submission

 drivers/staging/rtl8723bs/core/rtw_mlme_ext.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/drivers/staging/rtl8723bs/core/rtw_mlme_ext.c b/drivers/staging/rtl8723bs/core/rtw_mlme_ext.c
index 5f00fe282d1b..90f27665667a 100644
--- a/drivers/staging/rtl8723bs/core/rtw_mlme_ext.c
+++ b/drivers/staging/rtl8723bs/core/rtw_mlme_ext.c
@@ -891,7 +891,7 @@ unsigned int OnAuthClient(struct adapter *padapter, union recv_frame *precv_fram
 			p = rtw_get_ie(pframe + WLAN_HDR_A3_LEN + _AUTH_IE_OFFSET_, WLAN_EID_CHALLENGE, (int *)&len,
 				pkt_len - WLAN_HDR_A3_LEN - _AUTH_IE_OFFSET_);
 
-			if (!p)
+			if (!p || len != sizeof(pmlmeinfo->chg_txt))
 				goto authclnt_fail;
 
 			memcpy(pmlmeinfo->chg_txt, p + 2, len);
-- 
2.53.0


^ permalink raw reply related	[flat|nested] 3+ messages in thread

* [PATCH v6 2/2] staging: rtl8723bs: fix missing frame length checks in OnAuthClient
  2026-04-15  9:45 [PATCH v6 1/2] staging: rtl8723bs: fix heap overflow in OnAuthClient shared key path Alexandru Hossu
@ 2026-04-15  9:45 ` Alexandru Hossu
  2026-04-15 11:09 ` [PATCH v6 1/2] staging: rtl8723bs: fix heap overflow in OnAuthClient shared key path Luka Gejak
  1 sibling, 0 replies; 3+ messages in thread
From: Alexandru Hossu @ 2026-04-15  9:45 UTC (permalink / raw)
  To: gregkh
  Cc: linux-staging, linux-kernel, error27, stable, luka.gejak, hansg,
	Alexandru Hossu

OnAuthClient() accesses pframe without first verifying that pkt_len is
large enough to contain a valid 802.11 management frame header:

- get_da(pframe) reads bytes 4-9, requiring pkt_len >= 10
- GetPrivacy(pframe) reads the FC field at bytes 0-1

Additionally, when pkt_len < WLAN_HDR_A3_LEN + _AUTH_IE_OFFSET_ the
unsigned subtraction passed to rtw_get_ie() wraps around, causing it
to scan well past the end of the buffer.

Add an early check against WLAN_HDR_A3_LEN before any pframe access,
and a second check against WLAN_HDR_A3_LEN + offset + 6 after computing
offset to guard the seq/status reads and the rtw_get_ie() call.

Suggested-by: Dan Carpenter <error27@gmail.com>
Fixes: 554c0a3abf21 ("staging: Add rtl8723bs sdio wifi driver")
Cc: stable@vger.kernel.org
Cc: hansg@kernel.org
Reviewed-by: Dan Carpenter <error27@gmail.com>
Reviewed-by: Luka Gejak <luka.gejak@linux.dev>
Signed-off-by: Alexandru Hossu <hossu.alexandru@gmail.com>
---
Changes in v6:
- Add hansg@kernel.org to Cc (original driver author; accidentally
  omitted from the v5 series)

Changes in v5:
- Resend as 2/2 in two-patch series at maintainer request
- Add Reviewed-by from Dan Carpenter and Luka Gejak

Changes in v4:
- Replace incorrect Reported-by with Suggested-by: Dan spotted the
  missing length check during code review of the heap overflow fix;
  he did not file a separate bug report
- Add missing version changelog; correct subject line version number
  (previous submission was mislabeled as v2 despite being v3)

Changes in v3:
- Add first check against WLAN_HDR_A3_LEN before any pframe access
  to also guard get_da() and prevent unsigned subtraction wrap
- Rename subject to "fix missing frame length checks"

Changes in v2:
- Add single length check after computing offset to guard the
  seq/status field reads

 drivers/staging/rtl8723bs/core/rtw_mlme_ext.c | 6 ++++++
 1 file changed, 6 insertions(+)

diff --git a/drivers/staging/rtl8723bs/core/rtw_mlme_ext.c b/drivers/staging/rtl8723bs/core/rtw_mlme_ext.c
index 90f27665667a..884cd39ec756 100644
--- a/drivers/staging/rtl8723bs/core/rtw_mlme_ext.c
+++ b/drivers/staging/rtl8723bs/core/rtw_mlme_ext.c
@@ -860,6 +860,9 @@ unsigned int OnAuthClient(struct adapter *padapter, union recv_frame *precv_fram
 	u8 *pframe = precv_frame->u.hdr.rx_data;
 	uint pkt_len = precv_frame->u.hdr.len;
 
+	if (pkt_len < WLAN_HDR_A3_LEN)
+		goto authclnt_fail;
+
 	/* check A1 matches or not */
 	if (memcmp(myid(&(padapter->eeprompriv)), get_da(pframe), ETH_ALEN))
 		return _SUCCESS;
@@ -869,6 +872,9 @@ unsigned int OnAuthClient(struct adapter *padapter, union recv_frame *precv_fram
 
 	offset = (GetPrivacy(pframe)) ? 4 : 0;
 
+	if (pkt_len < WLAN_HDR_A3_LEN + offset + 6)
+		goto authclnt_fail;
+
 	seq	= le16_to_cpu(*(__le16 *)((SIZE_PTR)pframe + WLAN_HDR_A3_LEN + offset + 2));
 	status	= le16_to_cpu(*(__le16 *)((SIZE_PTR)pframe + WLAN_HDR_A3_LEN + offset + 4));
 
-- 
2.53.0


^ permalink raw reply related	[flat|nested] 3+ messages in thread

* Re: [PATCH v6 1/2] staging: rtl8723bs: fix heap overflow in OnAuthClient shared key path
  2026-04-15  9:45 [PATCH v6 1/2] staging: rtl8723bs: fix heap overflow in OnAuthClient shared key path Alexandru Hossu
  2026-04-15  9:45 ` [PATCH v6 2/2] staging: rtl8723bs: fix missing frame length checks in OnAuthClient Alexandru Hossu
@ 2026-04-15 11:09 ` Luka Gejak
  1 sibling, 0 replies; 3+ messages in thread
From: Luka Gejak @ 2026-04-15 11:09 UTC (permalink / raw)
  To: Alexandru Hossu, gregkh
  Cc: linux-staging, linux-kernel, error27, stable, luka.gejak, hansg

On Wed Apr 15, 2026 at 11:45 AM CEST, Alexandru Hossu wrote:
> rtw_get_ie() returns the raw IE length from the received frame, which
> can be up to 255. This length is used directly in memcpy() into
> chg_txt[128] with no bounds check, allowing a heap overflow of up to
> 127 bytes when a rogue AP sends an Auth seq=2 frame with a Challenge
> Text IE longer than 128 bytes.
>
> IEEE 802.11 mandates the Challenge Text element carries exactly 128
> bytes of challenge data. Reject any element whose length field does not
> match sizeof(pmlmeinfo->chg_txt) (128).
>
> Fixes: 554c0a3abf21 ("staging: Add rtl8723bs sdio wifi driver")
> Cc: stable@vger.kernel.org
> Cc: hansg@kernel.org
> Reviewed-by: Dan Carpenter <error27@gmail.com>
> Signed-off-by: Alexandru Hossu <hossu.alexandru@gmail.com>
> ---
> Apologies for the version numbering confusion across previous iterations.
>
> Changes in v6:
> - Add hansg@kernel.org to Cc (original driver author; accidentally
>   omitted from the v5 series)
> - Patch content unchanged from initial submission
>
>  drivers/staging/rtl8723bs/core/rtw_mlme_ext.c | 2 +-
>  1 file changed, 1 insertion(+), 1 deletion(-)
>
> diff --git a/drivers/staging/rtl8723bs/core/rtw_mlme_ext.c b/drivers/staging/rtl8723bs/core/rtw_mlme_ext.c
> index 5f00fe282d1b..90f27665667a 100644
> --- a/drivers/staging/rtl8723bs/core/rtw_mlme_ext.c
> +++ b/drivers/staging/rtl8723bs/core/rtw_mlme_ext.c
> @@ -891,7 +891,7 @@ unsigned int OnAuthClient(struct adapter *padapter, union recv_frame *precv_fram
>  			p = rtw_get_ie(pframe + WLAN_HDR_A3_LEN + _AUTH_IE_OFFSET_, WLAN_EID_CHALLENGE, (int *)&len,
>  				pkt_len - WLAN_HDR_A3_LEN - _AUTH_IE_OFFSET_);
>  
> -			if (!p)
> +			if (!p || len != sizeof(pmlmeinfo->chg_txt))
>  				goto authclnt_fail;
>  
>  			memcpy(pmlmeinfo->chg_txt, p + 2, len);

LGTM.

Reviewed-by: Luka Gejak <luka.gejak@linux.dev>

Best regards,
Luka Gejak

^ permalink raw reply	[flat|nested] 3+ messages in thread

end of thread, other threads:[~2026-04-15 11:10 UTC | newest]

Thread overview: 3+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2026-04-15  9:45 [PATCH v6 1/2] staging: rtl8723bs: fix heap overflow in OnAuthClient shared key path Alexandru Hossu
2026-04-15  9:45 ` [PATCH v6 2/2] staging: rtl8723bs: fix missing frame length checks in OnAuthClient Alexandru Hossu
2026-04-15 11:09 ` [PATCH v6 1/2] staging: rtl8723bs: fix heap overflow in OnAuthClient shared key path Luka Gejak

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox