From mboxrd@z Thu Jan 1 00:00:00 1970 Received: from mail-wr1-f45.google.com (mail-wr1-f45.google.com [209.85.221.45]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id DCE0722F01 for ; Fri, 17 Apr 2026 05:35:51 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=209.85.221.45 ARC-Seal:i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1776404153; cv=none; b=Rz5wJH2P19AkwF6NKlu6S0Vu86Un0eDxr1G0vEvVAMqLy2c4bJzcEtpkr9Qs2bYnzRK8nT0mKaxgJWsPIwCrV7paB1zkpfAv3Wm9pdFAtvGNiTh33gaWuKP2ssL8TOK96e1pxky4rxHV8C74sALit24Ea+WPt+xNOEuQG7wlgXY= ARC-Message-Signature:i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1776404153; c=relaxed/simple; bh=H7Xq2K5I8hzgnXyhrf2co5G5yOb2ZO9zyuH3/e/iFYk=; h=Date:From:To:Cc:Subject:Message-ID:References:MIME-Version: Content-Type:Content-Disposition:In-Reply-To; b=uYMt/qMwDNAfzQJFkZ9GxEmFuJxcb70ryALGZJV9GQkVY7wdOYH3vdsl2iNmWEsF5reFNPS3COMPDgLGXAuo28Fi3woI+z79zm34BNsgn5fBkxjK1VAJof5G2+PubzhXPDcWUBRW7vKqIdbKW/HFvlal9Z1Z2rvnhI86pX9+u1o= ARC-Authentication-Results:i=1; smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=gmail.com; spf=pass smtp.mailfrom=gmail.com; dkim=pass (2048-bit key) header.d=gmail.com header.i=@gmail.com header.b=U2HGT7QD; arc=none smtp.client-ip=209.85.221.45 Authentication-Results: smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=gmail.com Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=gmail.com Authentication-Results: smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=gmail.com header.i=@gmail.com header.b="U2HGT7QD" Received: by mail-wr1-f45.google.com with SMTP id ffacd0b85a97d-43fe608cb92so26877f8f.2 for ; Thu, 16 Apr 2026 22:35:51 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20251104; t=1776404150; x=1777008950; darn=vger.kernel.org; h=in-reply-to:content-disposition:mime-version:references:message-id :subject:cc:to:from:date:from:to:cc:subject:date:message-id:reply-to; bh=Te/LO0MnsMHbXYIyZUpJ0thN+bRfr4i4+FjbbQ/Rk7k=; b=U2HGT7QD0wTihvJMQvdglvJxK0rx62dJepP3dJ1eCcvrWf3VN0vo7Zramtcg2ktsXf jYhRh9Z9MTsM1yax99rNT+rUT65MG4zCuRHAu14rlypMhQLQuSRzf8V/dw7oLFh/SmHF eveT8SOgP8OfcblXNFYwlgUWYXReHXGrWL3E24ljf+MEqgsFLlbeqkIRko1nE+S+Z+2X 9c7+m0a+owajuHhkoEA5vlDVr7bRJ01DFcYLCWEb3v2HbHRJfWABEKaN2RuiadnnTVIR VJ+s00AMQU2+GL1cPeyydoldC6PNiAQ7oOmkERdme5cNjr3SCXX3QEOzWCGTApFOadcZ AqZA== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20251104; t=1776404150; x=1777008950; h=in-reply-to:content-disposition:mime-version:references:message-id :subject:cc:to:from:date:x-gm-gg:x-gm-message-state:from:to:cc :subject:date:message-id:reply-to; bh=Te/LO0MnsMHbXYIyZUpJ0thN+bRfr4i4+FjbbQ/Rk7k=; b=hHU3JR7yZYT6OZrmahWvunrL2DfJIDBTgjquRPM5X3wG8HHpodDStNOBsjAlVdjhG9 BnPVgWMTEJ1HAFgIK5/+FqT5B6wsInkTPsAK7nIO4W5foWuEKtt4TyqggpO0ihhA5E3L nQl94KRTDRSXvmPaWYgU1WemrBIi87UkWq65rtchc0iJVemwl/TgHSBfdtzGfhnMoufL 3ia5hIzfqzltCBLc39lzlkA5aHOAj3W55yztDB0gX8IEYPU392tiYSTULp41Pdj3ncad x2aNgCwl6Bm7C4KbozLbdino0+UlKL4LpU8V9dSUGE7eVmsWXs4IveCf5nNj6xtIglcW Ythw== X-Forwarded-Encrypted: i=1; AFNElJ8Ebu2TmDHLNMdqDMmyQ44PsU8ERCsk+NzoeeuKasktu0ky6MkauGkzt90GEq85sul/MxZtvG3oARJmqqo=@vger.kernel.org X-Gm-Message-State: AOJu0YyeuXKYzfLL7rsZMMgAFgPxo4YiG8BKe2uq2DlOy57hbkBQUsu5 qfH+jyJdJnzS+FPcbK7x3oDu2g/wwYDcUk00ZrL3yjHD4ndhH3SQUP4b X-Gm-Gg: AeBDies+sFzBMsmvbdgO1LM5uVt/hdCN4gZpbIL3tpXDut/qm50+y9XEAILvAixqXXX PzHE+tS8h3TxKz9nFaLPo67L9NuMPaYHkxzGgCce9kA6yHBsfxI7HAeF8bxGYwxFxMbXn9UMCiQ KFjBVmXFyc+gVnT3sdUpSvpEqmjK5aN1cJiZd7YUssPHrCR0eKAPSi28IeC8QH1ukdjjMHM6iS8 s5YlGv/TNP4qLANQ6oKcX/x0waTOoB5vXfxbYEyjwJKt3pRy2NH9u3XSS+tx34uCH+xeJs1ODxD mUOem0Z97wz2k3Tk/oi0nhhIFB+7wndHGk3As+lqG4elnPzLMJFdHM2VHmVvmkE9LLU+q67D+12 lGQyPvsTx6XoVqiqSjBLc1EgTfMSOBEYG2E7op9Fu0egxkZpEimPBMoFv5HXz7fRJZtU5VL+/td sgTUWjJr5dnhjH4mxH5fqZOm1M5fMqlA== X-Received: by 2002:a05:6000:1ac9:b0:43d:2f94:3b40 with SMTP id ffacd0b85a97d-43fe3db343dmr1761578f8f.6.1776404150220; Thu, 16 Apr 2026 22:35:50 -0700 (PDT) Received: from localhost ([196.207.164.177]) by smtp.gmail.com with ESMTPSA id ffacd0b85a97d-43fe4e3a397sm1875966f8f.23.2026.04.16.22.35.49 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Thu, 16 Apr 2026 22:35:49 -0700 (PDT) Date: Fri, 17 Apr 2026 08:35:46 +0300 From: Dan Carpenter To: Delene Tchio Romuald Cc: gregkh@linuxfoundation.org, luka.gejak@linux.dev, hansg@kernel.org, linux-staging@lists.linux.dev, linux-kernel@vger.kernel.org, stable@vger.kernel.org Subject: Re: [PATCH v5 3/5] staging: rtl8723bs: fix out-of-bounds read in portctrl() Message-ID: References: <20260417030110.42991-1-delenetchior1@gmail.com> <20260417030110.42991-4-delenetchior1@gmail.com> Precedence: bulk X-Mailing-List: linux-kernel@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <20260417030110.42991-4-delenetchior1@gmail.com> On Fri, Apr 17, 2026 at 04:01:08AM +0100, Delene Tchio Romuald wrote: > drivers/staging/rtl8723bs/core/rtw_recv.c | 21 +++++++++++++-------- > 1 file changed, 13 insertions(+), 8 deletions(-) > > diff --git a/drivers/staging/rtl8723bs/core/rtw_recv.c b/drivers/staging/rtl8723bs/core/rtw_recv.c > index 40884788a30d6..b11982fbe7e1f 100644 > --- a/drivers/staging/rtl8723bs/core/rtw_recv.c > +++ b/drivers/staging/rtl8723bs/core/rtw_recv.c > @@ -537,20 +537,25 @@ static union recv_frame *portctrl(struct adapter *adapter, union recv_frame *pre > /* blocked */ > /* only accept EAPOL frame */ > > - prtnframe = precv_frame; > + /* Ensure frame has LLC header and ether_type */ > + if (pfhdr->len < pattrib->hdrlen + > + pattrib->iv_len + LLC_HEADER_LENGTH + 2) { > + rtw_free_recvframe(precv_frame, > + &adapter->recvpriv.free_recv_queue); > + return NULL; > + } > > /* get ether_type */ > - ptr = ptr + pfhdr->attrib.hdrlen + pfhdr->attrib.iv_len + LLC_HEADER_LENGTH; > + ptr += pattrib->hdrlen + pattrib->iv_len + LLC_HEADER_LENGTH; Don't do this unrelated cleanup. > memcpy(&be_tmp, ptr, 2); > ether_type = ntohs(be_tmp); > > - if (ether_type == eapol_type) > - prtnframe = precv_frame; > - else { > - /* free this frame */ > - rtw_free_recvframe(precv_frame, &adapter->recvpriv.free_recv_queue); > - prtnframe = NULL; > + if (ether_type != eapol_type) { > + rtw_free_recvframe(precv_frame, > + &adapter->recvpriv.free_recv_queue); > + return NULL; > } > + prtnframe = precv_frame; Same. If you really want to do it, it has to be in a separate patch. regards, dan carpenter > } else { > /* allowed */ > /* check decryption status, and decrypt the frame if needed */