Re: [PATCH v6] staging: rtl8723bs: fix heap buffer overflow in cfg80211_rtw_add_key()

Next message: Tycho Andersen: "[PATCH v2 0/4] SEV re-initialization fixes"
Previous message: Christophe JAILLET: "Re: [PATCH v2] ASoC: cs35l56: Use devres to destroy workqueue"
In reply to: Luka Gejak: "Re: [PATCH v6] staging: rtl8723bs: fix heap buffer overflow in cfg80211_rtw_add_key()"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

From: Luka Gejak

Date: Mon May 04 2026 - 12:48:59 EST

On May 4, 2026 4:12:44 PM GMT+02:00, Greg KH <gregkh@xxxxxxxxxxxxxxxxxxx> wrote:
>On Mon, Apr 27, 2026 at 11:17:45AM +0000, Feng Ning wrote:
>> The cfg80211 framework allows userspace to specify a key sequence
>> counter (NL80211_KEY_SEQ) of up to 16 bytes via NL80211_CMD_NEW_KEY
>> netlink messages, but ieee_param.crypt.seq is a fixed 8-byte buffer.
>> When cfg80211_rtw_add_key() copies the sequence counter via memcpy()
>> without checking seq_len, a heap buffer overflow of up to 8 bytes
>> occurs, overwriting bytes following seq within the same ieee_param
>> structure (key_len and the trailing key[] flexible array).
>>
>> Cap the copy length at the buffer size using min_t().
>>
>> Reviewed-by: Luka Gejak <luka.gejak@xxxxxxxxx>
>> Fixes: 554c0a3abf21 ("staging: Add rtl8723bs sdio wifi driver")
>> Cc: stable@xxxxxxxxxxxxxxx
>> Signed-off-by: Feng Ning <feng@xxxxxxxxx>
>> ---
>
>What about these review comments:
> https://sashiko.dev/#/patchset/20260427111738.33069-1-feng@xxxxxxxxx
>
>Are they incorrect?
>
>And was this tested on real hardware?
>
>thanks,
>
>greg k-h

Hi Greg,
Is it better to let the driver attempt to function with a truncated
key sequence (via min_t), or should we explicitly reject the request
with -EINVAL to ensure we aren't installing a technically "broken" key
configuration? Which approach is more aligned with your preferences?
Best regards,
Luka Gejak