Re: [PATCH v2] staging: rtl8723bs: fix missing frame length checks in OnAuthClient

Next message: Jie Gan: "Re: [PATCH v4 3/9] coresight: etm4x: fix leaked trace id"
Previous message: David Hildenbrand (Arm): "Re: [PATCH v2] mm: shmem: don't set large-order range for internal shmem mount"
In reply to: Luka Gejak: "Re: [PATCH v2] staging: rtl8723bs: fix missing frame length checks in OnAuthClient"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

From: Dan Carpenter

Date: Wed Apr 15 2026 - 04:48:06 EST

On Tue, Apr 14, 2026 at 11:39:59PM +0200, Alexandru Hossu wrote:
> OnAuthClient() accesses pframe without first verifying that pkt_len is
> large enough to contain a valid 802.11 management frame header:
>
> - get_da(pframe) reads bytes 4-9, requiring pkt_len >= 10
> - GetPrivacy(pframe) reads the FC field at bytes 0-1
>
> Additionally, when pkt_len < WLAN_HDR_A3_LEN + _AUTH_IE_OFFSET_ the
> unsigned subtraction passed to rtw_get_ie() wraps around, causing it
> to scan well past the end of the buffer.
>
> Add an early check against WLAN_HDR_A3_LEN before any pframe access,
> and a second check against WLAN_HDR_A3_LEN + offset + 6 after computing
> offset to guard the seq/status reads and the rtw_get_ie() call.
>
> Suggested-by: Dan Carpenter <error27@xxxxxxxxx>
> Fixes: 554c0a3abf21 ("staging: Add rtl8723bs sdio wifi driver")
> Cc: stable@xxxxxxxxxxxxxxx
> Signed-off-by: Alexandru Hossu <hossu.alexandru@xxxxxxxxx>
> ---

Looks good!

Reviewed-by: Dan Carpenter <error27@xxxxxxxxx>

regards,
dan carpenter