Re: [PATCH v2] staging: rtl8723bs: fix missing frame length checks in OnAuthClient

[Luka Gejak]

On Wed Apr 15, 2026 at 6:56 AM CEST, Greg KH wrote:
> On Tue, Apr 14, 2026 at 11:39:59PM +0200, Alexandru Hossu wrote:
>> OnAuthClient() accesses pframe without first verifying that pkt_len is
>> large enough to contain a valid 802.11 management frame header:
>> 
>> - get_da(pframe) reads bytes 4-9, requiring pkt_len >= 10
>> - GetPrivacy(pframe) reads the FC field at bytes 0-1
>> 
>> Additionally, when pkt_len < WLAN_HDR_A3_LEN + _AUTH_IE_OFFSET_ the
>> unsigned subtraction passed to rtw_get_ie() wraps around, causing it
>> to scan well past the end of the buffer.
>> 
>> Add an early check against WLAN_HDR_A3_LEN before any pframe access,
>> and a second check against WLAN_HDR_A3_LEN + offset + 6 after computing
>> offset to guard the seq/status reads and the rtw_get_ie() call.
>> 
>> Suggested-by: Dan Carpenter <error27@xxxxxxxxx>
>> Fixes: 554c0a3abf21 ("staging: Add rtl8723bs sdio wifi driver")
>> Cc: stable@xxxxxxxxxxxxxxx
>> Signed-off-by: Alexandru Hossu <hossu.alexandru@xxxxxxxxx>
>> ---
>> Changes in v2:
>> - Replace incorrect Reported-by tag with Suggested-by: Dan spotted the
>>   missing length check during code review of the heap overflow fix; he
>>   did not file a separate bug report
>> - Add missing version changelog (the initial submission was incorrectly
>>   labeled v2; no v1 was ever sent to the list)
>
> So this is really v3?
>

...

This would actually be v4.
v1: [1]
v2: [2]
v3: [3]
v4: [4]
Best regards,
Luka Gejak

[1]: https://lore.kernel.org/linux-staging/20260413202824.740653-1-hossu.alexandru@xxxxxxxxx/
[2]: https://lore.kernel.org/linux-staging/20260414100804.871764-1-hossu.alexandru@xxxxxxxxx/
[3]: https://lore.kernel.org/linux-staging/20260414145350.903996-1-hossu.alexandru@xxxxxxxxx/
[4]: https://lore.kernel.org/linux-staging/20260414213959.1028301-1-hossu.alexandru@xxxxxxxxx/