Re: [PATCH v5 1/5] staging: rtl8723bs: fix heap buffer overflow in recvframe_defrag()

Next message: Hannes Reinecke: "Re: [PATCH v3] nvme-auth: Include SC_C in RVAL controller hash"
Previous message: Tian, Kevin: "RE: [PATCH] vfio/pci: Clean up DMABUFs before disabling function"
In reply to: Delene Tchio Romuald: "[PATCH v5 1/5] staging: rtl8723bs: fix heap buffer overflow in recvframe_defrag()"
Next in thread: Delene Tchio Romuald: "[PATCH v5 3/5] staging: rtl8723bs: fix out-of-bounds read in portctrl()"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

From: Dan Carpenter

Date: Fri Apr 17 2026 - 01:31:46 EST

On Fri, Apr 17, 2026 at 04:01:06AM +0100, Delene Tchio Romuald wrote:
> + /* Verify the receiving buffer has enough space for the fragment */
> + if (pnfhdr->len > pfhdr->rx_end - pfhdr->rx_tail)
> + goto out_err;
>
> - /* memcpy */

I wasn't going to mention this, but since you're going to need to
resend anyway... Yes, this comment is useless but don't delete it
as part of a security fix. It's unrelated.

regards,
dan carpenter

> memcpy(pfhdr->rx_tail, pnfhdr->rx_data, pnfhdr->len);
>
> recvframe_put(prframe, pnfhdr->len);