Re: [PATCH v6 1/2] staging: rtl8723bs: fix heap overflow in OnAuthClient shared key path

Next message: Ankit Jain: "[PATCH net v2 1/2] tcp: protect locked SO_RCVBUF from Silly Window Syndrome"
Previous message: Greg Kroah-Hartman: "Re: [PATCH v4] staging: rtl8723bs: fix remote heap info disclosure and OOB reads"
Next in thread: Alexandru Hossu: "[PATCH v7 0/2] staging: rtl8723bs: fix OOB reads in OnAuth() and OnAuthClient()"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

From: Greg KH

Date: Mon May 04 2026 - 10:56:53 EST

On Wed, Apr 15, 2026 at 11:45:04AM +0200, Alexandru Hossu wrote:
> rtw_get_ie() returns the raw IE length from the received frame, which
> can be up to 255. This length is used directly in memcpy() into
> chg_txt[128] with no bounds check, allowing a heap overflow of up to
> 127 bytes when a rogue AP sends an Auth seq=2 frame with a Challenge
> Text IE longer than 128 bytes.
>
> IEEE 802.11 mandates the Challenge Text element carries exactly 128
> bytes of challenge data. Reject any element whose length field does not
> match sizeof(pmlmeinfo->chg_txt) (128).
>
> Fixes: 554c0a3abf21 ("staging: Add rtl8723bs sdio wifi driver")
> Cc: stable@xxxxxxxxxxxxxxx
> Cc: hansg@xxxxxxxxxx
> Reviewed-by: Dan Carpenter <error27@xxxxxxxxx>
> Signed-off-by: Alexandru Hossu <hossu.alexandru@xxxxxxxxx>
> ---
> Apologies for the version numbering confusion across previous iterations.

Please address the review comments found here in your next version:
https://sashiko.dev/#/patchset/20260415094505.1115208-1-hossu.alexandru@xxxxxxxxx

thanks,

greg k-h