[PATCH v2] staging: rtl8723bs: fix integer underflow in TKIP MIC verification
From: Delene Tchio Romuald
Date: Sat Apr 04 2026 - 19:55:50 EST
In recvframe_chkmic(), datalen is computed as:
datalen = len - hdrlen - iv_len - icv_len - 8;
All operands are unsigned, so if the frame is shorter than the sum of
header, IV, ICV, and MIC lengths, the subtraction wraps to a very
large value. This corrupted datalen is then passed to
rtw_seccalctkipmic() and used as a pointer offset, leading to
out-of-bounds reads on kernel heap memory.
Add a minimum frame length check before the subtraction to prevent
the unsigned integer underflow.
Cc: stable@xxxxxxxxxxxxxxx
Signed-off-by: Delene Tchio Romuald <delenetchior1@xxxxxxxxx>
---
drivers/staging/rtl8723bs/core/rtw_recv.c | 7 +++++++
1 file changed, 7 insertions(+)
diff --git a/drivers/staging/rtl8723bs/core/rtw_recv.c b/drivers/staging/rtl8723bs/core/rtw_recv.c
index f78194d50..1fc8bcf39 100644
--- a/drivers/staging/rtl8723bs/core/rtw_recv.c
+++ b/drivers/staging/rtl8723bs/core/rtw_recv.c
@@ -390,6 +390,13 @@ static signed int recvframe_chkmic(struct adapter *adapter, union recv_frame *p
mickey = &stainfo->dot11tkiprxmickey.skey[0];
}
+ /* Ensure the frame is large enough for TKIP MIC verification */
+ if (precvframe->u.hdr.len <= prxattrib->hdrlen +
+ prxattrib->iv_len + prxattrib->icv_len + 8) {
+ res = _FAIL;
+ goto exit;
+ }
+
datalen = precvframe->u.hdr.len - prxattrib->hdrlen - prxattrib->iv_len - prxattrib->icv_len - 8;/* icv_len included the mic code */
pframe = precvframe->u.hdr.rx_data;
payload = pframe + prxattrib->hdrlen + prxattrib->iv_len;
--
2.43.0