Re: [PATCH v6] staging: rtl8723bs: fix heap buffer overflow in cfg80211_rtw_add_key()

Next message: Jon Kohler: "Re: [PATCH] crypto: af_alg - Document the deprecation of AF_ALG"
Previous message: Stanislav Fomichev: "Re: [PATCH net-next 2/3] vsock: convert to getsockopt_iter"
Next in thread: Feng Ning: "Re: [PATCH v6] staging: rtl8723bs: fix heap buffer overflow in cfg80211_rtw_add_key()"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

From: Greg KH

Date: Mon May 04 2026 - 10:58:46 EST

On Mon, Apr 27, 2026 at 11:17:45AM +0000, Feng Ning wrote:
> The cfg80211 framework allows userspace to specify a key sequence
> counter (NL80211_KEY_SEQ) of up to 16 bytes via NL80211_CMD_NEW_KEY
> netlink messages, but ieee_param.crypt.seq is a fixed 8-byte buffer.
> When cfg80211_rtw_add_key() copies the sequence counter via memcpy()
> without checking seq_len, a heap buffer overflow of up to 8 bytes
> occurs, overwriting bytes following seq within the same ieee_param
> structure (key_len and the trailing key[] flexible array).
>
> Cap the copy length at the buffer size using min_t().
>
> Reviewed-by: Luka Gejak <luka.gejak@xxxxxxxxx>
> Fixes: 554c0a3abf21 ("staging: Add rtl8723bs sdio wifi driver")
> Cc: stable@xxxxxxxxxxxxxxx
> Signed-off-by: Feng Ning <feng@xxxxxxxxx>
> ---

What about these review comments:
https://sashiko.dev/#/patchset/20260427111738.33069-1-feng@xxxxxxxxx

Are they incorrect?

And was this tested on real hardware?

thanks,

greg k-h