Re: [PATCH] staging: rtl8723bs: fix negative length in WEP decryption

Next message: tip-bot2 for Yazen Ghannam: " [tip: ras/urgent] x86/mce/amd: Filter bogus hardware errors on Zen3 clients"
Previous message: Sanjay Chitroda: "Re: [PATCH 2/3] media: i2c: gc0310: use cached client and device pointers"
In reply to: Delene Tchio Romuald: "[PATCH] staging: rtl8723bs: fix negative length in WEP decryption"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

From: Jose A. Perez de Azpillaga

Date: Sun Apr 05 2026 - 07:02:49 EST

On Sun, Apr 05, 2026 at 12:02:48AM +0100, Delene Tchio Romuald wrote:
> In rtw_wep_decrypt(), length is declared as signed int and computed as:
>
> length = len - hdrlen - iv_len;
>
> If the received frame is shorter than the combined header and IV
> lengths, length becomes negative. It is then passed to arc4_crypt()
> which takes a u32 parameter, causing the negative value to be
> implicitly cast to a very large unsigned value (e.g., -8 becomes
> 4294967288). This results in a massive out-of-bounds read and write
> on the heap via arc4_crypt(), and a similar overflow at the
> subsequent crc32_le() call using length - 4.
>
> Add a minimum frame length check before the subtraction to ensure
> length is always positive.
>
> Cc: stable@xxxxxxxxxxxxxxx

since you cc'd stable, a Fixes tag is needed.

...

--
regards,
jose a. p-a