From mboxrd@z Thu Jan 1 00:00:00 1970 Received: from mail-wm1-f53.google.com (mail-wm1-f53.google.com [209.85.128.53]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id 559053E6DC1 for ; Tue, 14 Apr 2026 13:02:46 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=209.85.128.53 ARC-Seal:i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1776171768; cv=none; b=kHm17eE6LU5dWxo0jrH/73fYztGOpeehP0A3YoawkSBpuC7Etxi2iz+jJmSh5ebj2DIvYdN2lljfKafAhETuxsyDRaOjUQcgxs86cCTJDlzQT/VOzlrxdGXLx3K1tS6sA1KJlWBIzJHL3cBY4UzoZ+JfWYPwa4LTXATMnZYWDRA= ARC-Message-Signature:i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1776171768; c=relaxed/simple; bh=AW468umSoMxfQZuO3i3oPBw2NNfhkyDeqV5TDwGam/Y=; h=Date:From:To:Cc:Subject:Message-ID:References:MIME-Version: Content-Type:Content-Disposition:In-Reply-To; b=n/DJ71W6goA7fjBHktHRDBaXcY4ozCzahmFVy3JjrVAL6YH307OPNhS6CKWzphvVSJmvh5D5rpQnNftnkbeeQNKSDWJWxorIqpqL1kj5nf+hs4jKpxGYOBxsSVgNMVmRiKEQT9EBR7AmG/Gcy/yZlMGQZhkS1h24tB+HoQwAGd8= ARC-Authentication-Results:i=1; smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=gmail.com; spf=pass smtp.mailfrom=gmail.com; dkim=pass (2048-bit key) header.d=gmail.com header.i=@gmail.com header.b=Q0MTee/e; arc=none smtp.client-ip=209.85.128.53 Authentication-Results: smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=gmail.com Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=gmail.com Authentication-Results: smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=gmail.com header.i=@gmail.com header.b="Q0MTee/e" Received: by mail-wm1-f53.google.com with SMTP id 5b1f17b1804b1-488e1a8ac40so43250355e9.2 for ; Tue, 14 Apr 2026 06:02:46 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20251104; t=1776171764; x=1776776564; darn=vger.kernel.org; h=in-reply-to:content-disposition:mime-version:references:message-id :subject:cc:to:from:date:from:to:cc:subject:date:message-id:reply-to; bh=696EAWx7+IwRQtEykEd8+V1n8vDOpq5v6LhBAVHyZ/Y=; b=Q0MTee/eaLXzZU8rurmwcJSlxaTVbOjtBT55BQajSlTfuwurP++YXLAkW2MN9DeZ6m cOoIQOXmsVFQzQKdYvAQZtRnLG/Punnd8mJEYE0nD6wKhPTD5+h63VBVOFsTb1knUhU+ IiCMipT63wc/bAilRfxq1vt1bqsJxMkOJElcOw//Ldyzy9fmepAmTwRYwRK3qZMZq0x6 maCCPqcxk6PWf5BOqj8yyaz51VpEyh5XBURwXpcr7rAEU7x37rrOU0+WJBQOCOQfmiCw DF1VaRYCalphhj/hEGqSwNuK/jhQR4ABZQvVolCO3NBOR7EXmIe5sN8RVEx44pegvtTX 4jKg== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20251104; t=1776171764; x=1776776564; h=in-reply-to:content-disposition:mime-version:references:message-id :subject:cc:to:from:date:x-gm-gg:x-gm-message-state:from:to:cc :subject:date:message-id:reply-to; bh=696EAWx7+IwRQtEykEd8+V1n8vDOpq5v6LhBAVHyZ/Y=; b=olh+9C2vIEBl3z6twgpiVV+oc7d2PDlts1IBceX5la/nEChRXVOuVVuNOxYh3LORyK zjyJ+jeOeYYZFgkkX6p6aBJ3h5o4fRnFix9TAwvSgCQ30LtmUi56z9sFtqy8/o7mBSSo JpvOdCFk5uwCRViMvrDCNsWK6weQoO7bIGopn/PksMXcK1s/ChDZ+W7lJNksx8K8OZEB 3iYswCq+hOb3PJHeCqTjV776BildfDtTU+UVHMXpDxryMb68E5MYBGuqqPou37f6y5/+ mbDqHoX46shSrtHDrUwUH1KzTkCihqQaLggqSON16vvA4/0vNpiMPXt3Xnpeibpsx081 oJWg== X-Forwarded-Encrypted: i=1; AFNElJ8JTPk4FEnuGsRV6MJF+g0S35KgZfTP+jIKSShEeHShXJWfErYb+e90fN725qR9ppgZ8+IaTbCQQ+rEsBg=@vger.kernel.org X-Gm-Message-State: AOJu0YyZYBIMS9lSsKuHF+MNuvwVh7roxEr4oLYrH4p0piBreF4B8p4U 2V6Ct+6k/Jvg2eAiugucz8tHmhgjDgW5qaW+P8Uw9TnqRplrp3c127+T X-Gm-Gg: AeBDiesQ8bh2MjhPeye+InCqYC3hkI1px984HtFC9XO7LCJDg3dv+GVwlYEPvZcHuBJ CM9ZjUHOSaPQ6NhB4p+9Okg5nua1vZ0j8FEkYuFBOaVvhm8Rt0fP6j1JJaZ0Y4zss8RBmm9brZN 0DrJo42VIG5UnNNmVX1Yi5M8h7pYg+C3t+B67c5X76AJdUPTMiYF8a2i0wpegedP+7ahKyqS2a3 4w024d3duZpgYWssUjqUuyhjTMXgRw2ZyWipEURO9rFw8D5lpW522oc/hT56VIkfPknLjoALnXw 9FxPtnZtd9gFq3QDkzvYAXiEQzRxFmeCJ8dYNTGY0T13cvD2s0WCMp8HMbzl7Nn3P6sBHxtKNRO BXFUDi0dRXKB/G4usBOB5toc86uPw+etDO3KdjZdHgdHxLi46lvo8w/dMsh8nEKQ78icqGsJkHb oO4fpMjIWLu+XGS6xrRHZ7IygAi0vi2GBCOBDc X-Received: by 2002:a05:600c:45c9:b0:488:869c:edaa with SMTP id 5b1f17b1804b1-488d67e269amr237317035e9.7.1776171763810; Tue, 14 Apr 2026 06:02:43 -0700 (PDT) Received: from localhost (hf33.n1.ips.mtn.co.ug. [41.210.143.51]) by smtp.gmail.com with ESMTPSA id 5b1f17b1804b1-488ede1e05bsm82588805e9.6.2026.04.14.06.02.41 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Tue, 14 Apr 2026 06:02:42 -0700 (PDT) Date: Tue, 14 Apr 2026 15:48:55 +0300 From: Dan Carpenter To: Alexandru Hossu Cc: gregkh@linuxfoundation.org, linux-staging@lists.linux.dev, linux-kernel@vger.kernel.org, dan.carpenter@linaro.org, hansg@kernel.org, stable@vger.kernel.org Subject: Re: [PATCH] staging: rtl8723bs: fix frame length underflow in OnAuthClient Message-ID: References: <20260413202824.740653-1-hossu.alexandru@gmail.com> <20260414100804.871764-1-hossu.alexandru@gmail.com> Precedence: bulk X-Mailing-List: linux-kernel@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <20260414100804.871764-1-hossu.alexandru@gmail.com> On Tue, Apr 14, 2026 at 12:08:04PM +0200, Alexandru Hossu wrote: > If pkt_len is less than WLAN_HDR_A3_LEN + offset + 6, the reads of > the seq and status fields go beyond the frame buffer. Additionally, > when pkt_len < WLAN_HDR_A3_LEN + _AUTH_IE_OFFSET_ (30 bytes), the > subtraction passed to rtw_get_ie() wraps around since pkt_len is > unsigned, causing rtw_get_ie() to scan well past the end of the buffer. > > Add a minimum length check after computing offset to reject frames > that are too short before any fixed field access. > > Reported-by: Dan Carpenter > Fixes: 554c0a3abf21 ("staging: Add rtl8723bs sdio wifi driver") > Cc: stable@vger.kernel.org > Signed-off-by: Alexandru Hossu > --- > drivers/staging/rtl8723bs/core/rtw_mlme_ext.c | 3 +++ > 1 file changed, 3 insertions(+) > > diff --git a/drivers/staging/rtl8723bs/core/rtw_mlme_ext.c b/drivers/staging/rtl8723bs/core/rtw_mlme_ext.c > index 90f27665667a..6b0ac54ad3d4 100644 > --- a/drivers/staging/rtl8723bs/core/rtw_mlme_ext.c > +++ b/drivers/staging/rtl8723bs/core/rtw_mlme_ext.c > @@ -869,6 +869,9 @@ unsigned int OnAuthClient(struct adapter *padapter, union recv_frame *precv_fram > > offset = (GetPrivacy(pframe)) ? 4 : 0; ^^^^^^ Do we know for sure that this is within bounds? And there is earlier code which pokes in pframe as well. This code is quite complicated. I looked at how to do bounds checking but it all seems pretty complicated to me and I haven't investigated this enough to know the right answers. regards, dan carpenter > > + if (pkt_len < WLAN_HDR_A3_LEN + offset + 6) > + goto authclnt_fail; > + > seq = le16_to_cpu(*(__le16 *)((SIZE_PTR)pframe + WLAN_HDR_A3_LEN + offset + 2)); > status = le16_to_cpu(*(__le16 *)((SIZE_PTR)pframe + WLAN_HDR_A3_LEN + offset + 4)); > > -- > 2.53.0