From mboxrd@z Thu Jan 1 00:00:00 1970 Received: from mail-wr1-f52.google.com (mail-wr1-f52.google.com [209.85.221.52]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id 0D0C030E0D5 for ; Tue, 14 Apr 2026 06:19:55 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=209.85.221.52 ARC-Seal:i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1776147597; cv=none; b=b1TPyP1DKExEsAienPm/RlxYX9oR9njTpJKPt8dcmnVaPOaHXmRHD3iDQSgc6Al+/7JvkfbkV90eFb6mS1oqVWps5NeIzr9aVlCo7g7yJlQf6ZQyp81fl4gFm8yQB2M6VXvMQbWkHzZDS48wu522F8XneIQyT/zN3/7klsr7OMs= ARC-Message-Signature:i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1776147597; c=relaxed/simple; bh=4Au1vWYJQM/cCNLFocF4rxkQ5SdzGdbWeMDXgvcfb0Y=; h=Date:From:To:Cc:Subject:Message-ID:References:MIME-Version: Content-Type:Content-Disposition:In-Reply-To; b=Uec9Kf3TXzNuCWg6dgOJrYrysWW474P6g2h0zhZCQP+MsMGAVa6a5HUvAZz2czVhfL6chSDSNkk7WTAPdbLCnoIHLv9VSqYf78EJbY/SQG7RJhzRZSP96aNM0OsoaJ5YEk9iNr+YXyx9q1lyO/Rk51uBwBGtqnLw8/s1sn9nDfE= ARC-Authentication-Results:i=1; smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=gmail.com; spf=pass smtp.mailfrom=gmail.com; dkim=pass (2048-bit key) header.d=gmail.com header.i=@gmail.com header.b=Z/1zMhUi; arc=none smtp.client-ip=209.85.221.52 Authentication-Results: smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=gmail.com Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=gmail.com Authentication-Results: smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=gmail.com header.i=@gmail.com header.b="Z/1zMhUi" Received: by mail-wr1-f52.google.com with SMTP id ffacd0b85a97d-43d77f6092eso1274575f8f.2 for ; Mon, 13 Apr 2026 23:19:55 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20251104; t=1776147594; x=1776752394; darn=vger.kernel.org; h=in-reply-to:content-disposition:mime-version:references:message-id :subject:cc:to:from:date:from:to:cc:subject:date:message-id:reply-to; bh=ZrvVMoJ7yb4IwANqTPw15SzHZNBEW/67dLCXkZ79KHk=; b=Z/1zMhUi7x9PI+YhaJoMwNXofl7okJyvWHd0oZvckkaqnM4TJYnSIZPz/5RNLUWpTE qIiyBnAbSXPCnsjSGiPnSF88rc1iy8sbIXMuBbo6nN6BFpJ6pnIRaZai5wXOzK+pWSwa 416QvRANIGrXfVsqd8qLEy9WaRxHPQoisPPZu69q6zfGvO0uN1B4nlkbE7yewhWWS6SE 5otGHyYfqzDh16Z8thsqlSSG77RqBZRagce2icvd/llY77s6BtJnIc9vbcYCwL+rXDQf DWkiRNA3FTHciyAH4ukSiKscBPGPh1J+MCmkxvBRtoVtwZBwQTTanhrVROagIT2I/Ftp LGjA== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20251104; t=1776147594; x=1776752394; h=in-reply-to:content-disposition:mime-version:references:message-id :subject:cc:to:from:date:x-gm-gg:x-gm-message-state:from:to:cc :subject:date:message-id:reply-to; bh=ZrvVMoJ7yb4IwANqTPw15SzHZNBEW/67dLCXkZ79KHk=; b=ICrW3ZxyMxvjzbPkhDnaJJ4SVUPcnwt+2X2iNvMCg6g4LFoIciJDRn5qmhGa0P6ix9 10OKXRaTEW+3sGcEvsrovAx5bmqysHPOEQjW5zKnLtSHKfjLyI7YQzHi6lmVmfIP4CeF 6H8I0Egvsj+KyZJQwE6e4Zy9WLGEnBFmOiXPJ5zN/bXcoSF0Ana5Wu/kYRutnu1APq6f /N988sx1MFZ6BELR1zL4HH8e+5F823KlNYcDE7vj5kqFas6Ta4e/eVdQSIcUH1fp1NQL fizoR0tay1gcKDhMWdc/Iil2Tr0cbaZpwFzFAKbAb7nhxkaYC2MKDAMFhVkzmur4j2nO hTlw== X-Forwarded-Encrypted: i=1; AFNElJ/rYgr+7gSfOH0svjjJt4w+8elTQrqHjSarBcftynhJtM2XoMm5xj4ceW0fZTTeHXeVxMcIrAsnTvt8wIQ=@vger.kernel.org X-Gm-Message-State: AOJu0YxfiTjw0xdVHSSq5gwllvv1+IOcw2vQws9vt1TIA7oWLhlEjji3 3oWY+x/PLK/Y25USw54CW4Egwa06Z9juRfbaQ9qDu4WZShrn8CksvYIh X-Gm-Gg: AeBDietZD809kyVSRBecl0tMm2mNttVXvo3LZFJjFQKbcfHYOmjad09hAeEuM4VUKDt PKQhJP3+u3UFx3dofZM7NyVMoEA2tX1BqTGX7eF4ahTJ0AmjCLcLSELl5VrWhoVYb5oFC0SFw8J JlmCeyJoq7J0CnFNCBu5aAzqsjoZIy3xj3Hu+ajTenU/DPUhLOKmqigPDQuc5e30DkDKfjenKwB lo7wsqwuXjPOHpzC5gYrahASvQDqFkys2Id3S2XtWpD9w1KbhvF+ss/tLC9MIZQK03WC7GlQ04J WAYbtHToedDtUcYlJFFNbVUGRKul10OT1AaieNbOVQF1D9564kr6GlXJw0XapK4lXb8nQzBZdNz z+0kXa/oLsGKKJXPmFDuu3zy55uXsUn3ul3u/q1DKcVQLtTr9XhcUg0NPbkHRACr+9cDTCxfUs+ oh//ywakmDjvfjME1S X-Received: by 2002:a05:6000:40dd:b0:43d:7e5b:928c with SMTP id ffacd0b85a97d-43d7e5b9a32mr4274358f8f.47.1776147594334; Mon, 13 Apr 2026 23:19:54 -0700 (PDT) Received: from localhost ([41.210.143.51]) by smtp.gmail.com with ESMTPSA id ffacd0b85a97d-43d7794cce5sm16097713f8f.9.2026.04.13.23.19.52 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Mon, 13 Apr 2026 23:19:53 -0700 (PDT) Date: Tue, 14 Apr 2026 09:19:47 +0300 From: Dan Carpenter To: Alexandru Hossu Cc: gregkh@linuxfoundation.org, linux-staging@lists.linux.dev, linux-kernel@vger.kernel.org, dan.carpenter@linaro.org, hansg@kernel.org, stable@vger.kernel.org Subject: Re: [PATCH] staging: rtl8723bs: fix heap overflow in OnAuthClient shared key path Message-ID: References: <20260413202824.740653-1-hossu.alexandru@gmail.com> Precedence: bulk X-Mailing-List: linux-kernel@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <20260413202824.740653-1-hossu.alexandru@gmail.com> On Mon, Apr 13, 2026 at 10:28:24PM +0200, Alexandru Hossu wrote: > rtw_get_ie() returns the raw IE length from the received frame, which > can be up to 255. This length is used directly in memcpy() into > chg_txt[128] with no bounds check, allowing a heap overflow of up to > 127 bytes when a rogue AP sends an Auth seq=2 frame with a Challenge > Text IE longer than 128 bytes. > > IEEE 802.11 mandates the Challenge Text element carries exactly 128 > bytes of challenge data. Reject any element whose length field does not > match sizeof(pmlmeinfo->chg_txt) (128). > > Fixes: 554c0a3abf21 ("staging: Add rtl8723bs sdio wifi driver") > Cc: stable@vger.kernel.org > Signed-off-by: Alexandru Hossu Looks good. Reviewed-by: Dan Carpenter > --- > drivers/staging/rtl8723bs/core/rtw_mlme_ext.c | 2 +- > 1 file changed, 1 insertion(+), 1 deletion(-) > > diff --git a/drivers/staging/rtl8723bs/core/rtw_mlme_ext.c b/drivers/staging/rtl8723bs/core/rtw_mlme_ext.c > index 5f00fe282d1b..90f27665667a 100644 > --- a/drivers/staging/rtl8723bs/core/rtw_mlme_ext.c > +++ b/drivers/staging/rtl8723bs/core/rtw_mlme_ext.c > @@ -891,7 +891,7 @@ unsigned int OnAuthClient(struct adapter *padapter, union recv_frame *precv_fram > p = rtw_get_ie(pframe + WLAN_HDR_A3_LEN + _AUTH_IE_OFFSET_, WLAN_EID_CHALLENGE, (int *)&len, ^^^^^^ Do we know that pframe has enough data? KTODO: check if pframe is large enough in OnAuthClient() regards, dan carpenter > pkt_len - WLAN_HDR_A3_LEN - _AUTH_IE_OFFSET_); > > - if (!p) > + if (!p || len != sizeof(pmlmeinfo->chg_txt)) > goto authclnt_fail;