From: Delene Tchio Romuald <delenetchior1@gmail.com>
To: security@kernel.org
Cc: Delene Tchio Romuald <delenetchior1@gmail.com>, stable@vger.kernel.org
Subject: [PATCH] staging: rtl8723bs: fix heap buffer overflow in recvframe_defrag()
Date: Sat, 4 Apr 2026 22:11:41 +0100 [thread overview]
Message-ID: <20260404211142.53071-1-delenetchior1@gmail.com> (raw)
In recvframe_defrag(), a memcpy() copies fragment data into the
reassembly buffer before recvframe_put() validates that the buffer
has sufficient space. If the total reassembled payload exceeds the
receive buffer capacity, this results in a heap buffer overflow.
An attacker within WiFi radio range can exploit this by sending
crafted 802.11 fragmented frames. No authentication is required.
Add a bounds check before the memcpy() to verify that the fragment
payload fits within the remaining buffer space, using the same error
handling pattern already present in the function.
Cc: stable@vger.kernel.org
Signed-off-by: Delene Tchio Romuald <delenetchior1@gmail.com>
---
drivers/staging/rtl8723bs/core/rtw_recv.c | 8 +++++++-
1 file changed, 7 insertions(+), 1 deletion(-)
diff --git a/drivers/staging/rtl8723bs/core/rtw_recv.c b/drivers/staging/rtl8723bs/core/rtw_recv.c
index 337671b12..901f4b1ff 100644
--- a/drivers/staging/rtl8723bs/core/rtw_recv.c
+++ b/drivers/staging/rtl8723bs/core/rtw_recv.c
@@ -1132,7 +1132,13 @@ static union recv_frame *recvframe_defrag(struct adapter *adapter,
/* append to first fragment frame's tail (if privacy frame, pull the ICV) */
recvframe_pull_tail(prframe, pfhdr->attrib.icv_len);
- /* memcpy */
+ /* Verify the receiving buffer has enough space for the fragment */
+ if (pnfhdr->len > (uint)(pfhdr->rx_end - pfhdr->rx_tail)) {
+ rtw_free_recvframe(prframe, pfree_recv_queue);
+ rtw_free_recvframe_queue(defrag_q, pfree_recv_queue);
+ return NULL;
+ }
+
memcpy(pfhdr->rx_tail, pnfhdr->rx_data, pnfhdr->len);
recvframe_put(prframe, pnfhdr->len);
--
2.43.0
next reply other threads:[~2026-04-04 21:15 UTC|newest]
Thread overview: 2+ messages / expand[flat|nested] mbox.gz Atom feed top
2026-04-04 21:11 Delene Tchio Romuald [this message]
2026-04-05 5:42 ` [PATCH] staging: rtl8723bs: fix heap buffer overflow in recvframe_defrag() Greg KH
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20260404211142.53071-1-delenetchior1@gmail.com \
--to=delenetchior1@gmail.com \
--cc=security@kernel.org \
--cc=stable@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox