[PATCH v3 2/5] staging: rtl8723bs: fix integer underflow in TKIP MIC verification
From: Delene Tchio Romuald
Date: Sun Apr 05 2026 - 06:18:20 EST
In recvframe_chkmic(), datalen is computed as:
datalen = len - hdrlen - iv_len - icv_len - 8;
All operands are unsigned, so if the frame is shorter than the sum of
header, IV, ICV, and MIC lengths, the subtraction wraps to a very
large value. This corrupted datalen is then passed to
rtw_seccalctkipmic() and used as a pointer offset, leading to
out-of-bounds reads on kernel heap memory.
Add a minimum frame length check before the subtraction to prevent
the unsigned integer underflow.
Found by reviewing memory operations in the driver.
Not tested on hardware.
Signed-off-by: Delene Tchio Romuald <delenetchior1@xxxxxxxxx>
---
v3:
- Rebased on staging-next
- Sent as numbered series with proper Cc from get_maintainer.pl
v2:
- Rebased on staging-next (v1 did not apply due to whitespace changes)
drivers/staging/rtl8723bs/core/rtw_recv.c | 7 +++++++
1 file changed, 7 insertions(+)
diff --git a/drivers/staging/rtl8723bs/core/rtw_recv.c b/drivers/staging/rtl8723bs/core/rtw_recv.c
index 717e0594d983a..11ae99e53b86a 100644
--- a/drivers/staging/rtl8723bs/core/rtw_recv.c
+++ b/drivers/staging/rtl8723bs/core/rtw_recv.c
@@ -390,6 +390,13 @@ static signed int recvframe_chkmic(struct adapter *adapter, union recv_frame *p
mickey = &stainfo->dot11tkiprxmickey.skey[0];
}
+ /* Ensure the frame is large enough for TKIP MIC verification */
+ if (precvframe->u.hdr.len <= prxattrib->hdrlen +
+ prxattrib->iv_len + prxattrib->icv_len + 8) {
+ res = _FAIL;
+ goto exit;
+ }
+
datalen = precvframe->u.hdr.len - prxattrib->hdrlen - prxattrib->iv_len - prxattrib->icv_len - 8;/* icv_len included the mic code */
pframe = precvframe->u.hdr.rx_data;
payload = pframe + prxattrib->hdrlen + prxattrib->iv_len;
--
2.43.0