Re: [PATCH v3 2/5] staging: rtl8723bs: fix integer underflow in TKIP MIC verification
From: Luka Gejak
Date: Wed Apr 15 2026 - 09:59:05 EST
On Sun Apr 5, 2026 at 12:15 PM CEST, Delene Tchio Romuald wrote:
> In recvframe_chkmic(), datalen is computed as:
>
> datalen = len - hdrlen - iv_len - icv_len - 8;
>
> All operands are unsigned, so if the frame is shorter than the sum of
> header, IV, ICV, and MIC lengths, the subtraction wraps to a very
> large value. This corrupted datalen is then passed to
> rtw_seccalctkipmic() and used as a pointer offset, leading to
> out-of-bounds reads on kernel heap memory.
>
> Add a minimum frame length check before the subtraction to prevent
> the unsigned integer underflow.
>
> Found by reviewing memory operations in the driver.
> Not tested on hardware.
>
> Signed-off-by: Delene Tchio Romuald <delenetchior1@xxxxxxxxx>
> ---
> v3:
> - Rebased on staging-next
> - Sent as numbered series with proper Cc from get_maintainer.pl
> v2:
> - Rebased on staging-next (v1 did not apply due to whitespace changes)
>
> drivers/staging/rtl8723bs/core/rtw_recv.c | 7 +++++++
> 1 file changed, 7 insertions(+)
>
> diff --git a/drivers/staging/rtl8723bs/core/rtw_recv.c b/drivers/staging/rtl8723bs/core/rtw_recv.c
> index 717e0594d983a..11ae99e53b86a 100644
> --- a/drivers/staging/rtl8723bs/core/rtw_recv.c
> +++ b/drivers/staging/rtl8723bs/core/rtw_recv.c
> @@ -390,6 +390,13 @@ static signed int recvframe_chkmic(struct adapter *adapter, union recv_frame *p
> mickey = &stainfo->dot11tkiprxmickey.skey[0];
> }
>
> + /* Ensure the frame is large enough for TKIP MIC verification */
> + if (precvframe->u.hdr.len <= prxattrib->hdrlen +
> + prxattrib->iv_len + prxattrib->icv_len + 8) {
> + res = _FAIL;
> + goto exit;
> + }
> +
> datalen = precvframe->u.hdr.len - prxattrib->hdrlen - prxattrib->iv_len - prxattrib->icv_len - 8;/* icv_len included the mic code */
> pframe = precvframe->u.hdr.rx_data;
> payload = pframe + prxattrib->hdrlen + prxattrib->iv_len;
LGTM.
Reviewed-by: Luka Gejak <luka.gejak@xxxxxxxxx>
Best regards,
Luka Gejak