Re: [PATCH v3 1/5] staging: rtl8723bs: fix heap buffer overflow in recvframe_defrag()

Next message: Oleg Nesterov: "Re: [RFC PATCH 2/2] seccomp: defer syscall_rollback() to get_signal()"
Previous message: Antoni Pokusinski: "[PATCH] rtc: abx80x: fix the RTC_VL_CLR clearing all status flags"
In reply to: Dan Carpenter: "Re: [PATCH v3 1/5] staging: rtl8723bs: fix heap buffer overflow in recvframe_defrag()"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

From: Dan Carpenter

Date: Wed Apr 15 2026 - 12:11:17 EST

On Wed, Apr 15, 2026 at 06:24:10PM +0300, Dan Carpenter wrote:
> > diff --git a/drivers/staging/rtl8723bs/core/rtw_recv.c b/drivers/staging/rtl8723bs/core/rtw_recv.c
> > index f78194d508dfc..717e0594d983a 100644
> > --- a/drivers/staging/rtl8723bs/core/rtw_recv.c
> > +++ b/drivers/staging/rtl8723bs/core/rtw_recv.c
> > @@ -1132,7 +1132,13 @@ static union recv_frame *recvframe_defrag(struct adapter *adapter,
> > /* append to first fragment frame's tail (if privacy frame, pull the ICV) */
> > recvframe_pull_tail(prframe, pfhdr->attrib.icv_len);
>
> There is no error checking on these pull calls. They're supposed
> to return NULL if pfhdr->attrib.icv_len is too big. (There is a similar
> caller earlier on the line before).
>

Actually if these fail

> >
> > - /* memcpy */
> > + /* Verify the receiving buffer has enough space for the fragment */
> > + if (pnfhdr->len > (uint)(pfhdr->rx_end - pfhdr->rx_tail)) {
>

then the pfhdr->rx_end and pfhdr->rx_tail pointers are wrong. So you
really do need to add the error checking before you do the resend.

regards,
dan carpenter