Re: [PATCH] staging: rtl8723bs: fix frame length underflow in OnAuthClient

Next message: Vijayendra Suman: "Re: [PATCH 5.15 000/570] 5.15.203-rc1 review"
Previous message: Alexei Starovoitov: "Re: [PATCH RFC bpf-next 1/8] kasan: expose generic kasan helpers"
In reply to: Dan Carpenter: "Re: [PATCH] staging: rtl8723bs: fix frame length underflow in OnAuthClient"
Next in thread: Alexandru Hossu: "[PATCH v2] staging: rtl8723bs: fix missing frame length checks in OnAuthClient"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

From: Alexandru Hossu

Date: Tue Apr 14 2026 - 10:37:21 EST

On Tue, Apr 14, 2026 at 03:02:00PM +0000, Dan Carpenter wrote:
> Do we know for sure that this is within bounds? And there is earlier
> code which pokes in pframe as well. This code is quite complicated.

You're right, I missed that. get_da(pframe) at the top of the function
already accesses pframe+4..+9, and GetPrivacy() reads the FC field,
both without any length check. I'll add an early check against
WLAN_HDR_A3_LEN before any pframe access and send a v2.

Thanks,
Alexandru