Re: [PATCH] staging: rtl8723bs: fix heap overflow in OnAuthClient shared key path

Next message: Krzysztof Kozlowski: "Re: [PATCH 2/2] dt-bindings: arm: cpus: Add compatible qcom,oryon-1-5"
Previous message: syzbot: "Re: [syzbot] [dri?] KASAN: slab-use-after-free Read in drm_gem_object_release_handle"
In reply to: Dan Carpenter: "Re: [PATCH] staging: rtl8723bs: fix heap overflow in OnAuthClient shared key path"
Next in thread: Alexandru Hossu: "[PATCH] staging: rtl8723bs: fix frame length underflow in OnAuthClient"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

From: Alexandru Hossu

Date: Tue Apr 14 2026 - 02:23:01 EST

On Tue, Apr 14, 2026 at 08:19:00AM +0000, Dan Carpenter wrote:
> Looks good.
>
> Reviewed-by: Dan Carpenter <error27@xxxxxxxxx>
>
> p = rtw_get_ie(pframe + WLAN_HDR_A3_LEN + _AUTH_IE_OFFSET_, WLAN_EID_CHALLENGE, (int *)&len,
> ^^^^^^
> Do we know that pframe has enough data?
>
> KTODO: check if pframe is large enough in OnAuthClient()

Good catch. There's no minimum length check before the subtraction,
so a frame shorter than WLAN_HDR_A3_LEN + _AUTH_IE_OFFSET_ (30 bytes)
would cause pkt_len to underflow since it's unsigned. I'll send a
follow-up patch adding the check.

Thanks for the review.

Alexandru