]> git.ipfire.org Git - thirdparty/kernel/linux.git/commitdiff
staging: rtl8723bs: fix heap buffer overflow in rtw_cfg80211_set_wpa_ie()
authorAlexandru Hossu <hossu.alexandru@gmail.com>
Fri, 22 May 2026 00:45:27 +0000 (02:45 +0200)
committerGreg Kroah-Hartman <gregkh@linuxfoundation.org>
Tue, 7 Jul 2026 11:43:16 +0000 (13:43 +0200)
supplicant_ie is a 256-byte array in struct security_priv. The WPA and
WPA2 IE copy paths use:

    memcpy(padapter->securitypriv.supplicant_ie, &pwpa[0], wpa_ielen + 2);

where wpa_ielen is the raw IE length field (u8, 0-255). When a local user
supplies a connect request via nl80211 with a crafted WPA IE of length 255,
wpa_ielen + 2 equals 257, overflowing the 256-byte buffer by one byte into
the adjacent last_mic_err_time field.

rtw_parse_wpa_ie() does not prevent this: its length consistency check
compares *(wpa_ie+1) against (u8)(wpa_ie_len-2), which is (u8)(255) == 255
when wpa_ie_len = 257, so the check passes silently.

Add explicit bounds checks for both the WPA and WPA2 paths before the
memcpy, rejecting any IE whose total size (wpa_ielen + 2) exceeds the
supplicant_ie buffer.

Fixes: 554c0a3abf21 ("staging: Add rtl8723bs sdio wifi driver")
Cc: stable <stable@kernel.org>
Reviewed-by: Luka Gejak <luka.gejak@linux.dev>
Signed-off-by: Alexandru Hossu <hossu.alexandru@gmail.com>
Link: https://patch.msgid.link/20260522004531.1038924-4-hossu.alexandru@gmail.com
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
drivers/staging/rtl8723bs/os_dep/ioctl_cfg80211.c

index 1484336d7551a08b26fb1d3be388e4bc15a828af..6a97afd89dc78a0867ea6517b58e07ffa93ead9a 100644 (file)
@@ -1446,6 +1446,10 @@ static int rtw_cfg80211_set_wpa_ie(struct adapter *padapter, u8 *pie, size_t iel
 
        pwpa = rtw_get_wpa_ie(buf, &wpa_ielen, ielen);
        if (pwpa && wpa_ielen > 0) {
+               if (wpa_ielen + 2 > sizeof(padapter->securitypriv.supplicant_ie)) {
+                       ret = -EINVAL;
+                       goto exit;
+               }
                if (rtw_parse_wpa_ie(pwpa, wpa_ielen + 2, &group_cipher, &pairwise_cipher, NULL) == _SUCCESS) {
                        padapter->securitypriv.dot11AuthAlgrthm = dot11AuthAlgrthm_8021X;
                        padapter->securitypriv.ndisauthtype = Ndis802_11AuthModeWPAPSK;
@@ -1455,6 +1459,10 @@ static int rtw_cfg80211_set_wpa_ie(struct adapter *padapter, u8 *pie, size_t iel
 
        pwpa2 = rtw_get_wpa2_ie(buf, &wpa2_ielen, ielen);
        if (pwpa2 && wpa2_ielen > 0) {
+               if (wpa2_ielen + 2 > sizeof(padapter->securitypriv.supplicant_ie)) {
+                       ret = -EINVAL;
+                       goto exit;
+               }
                if (rtw_parse_wpa2_ie(pwpa2, wpa2_ielen + 2, &group_cipher, &pairwise_cipher, NULL) == _SUCCESS) {
                        padapter->securitypriv.dot11AuthAlgrthm = dot11AuthAlgrthm_8021X;
                        padapter->securitypriv.ndisauthtype = Ndis802_11AuthModeWPA2PSK;