staging: rtl8723bs: fix stack buffer overflow in OnAssocReq IE parsing

The Supported Rates IE length from an incoming Association Request frame
was used directly as the memcpy() length when copying into a fixed-size
16-byte stack buffer (supportRate). A malicious station can advertise an
IE length larger than 16 bytes, causing a stack buffer overflow.

Clamp ie_len to the buffer size before copying the Supported Rates IE,
and correct the bounds check when merging Extended Supported Rates to
prevent a second potential overflow.

This prevents kernel stack corruption triggered by malformed association
requests.

Signed-off-by: Navaneeth K <knavaneeth786@gmail.com>
Cc: stable <stable@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

diff --git a/drivers/staging/rtl8723bs/core/rtw_mlme_ext.c b/drivers/staging/rtl8723bs/core/rtw_mlme_ext.c
index fb170a144d28fd3f8db253bcb44b225608547f89..f6c5eb30f9f6a08ab39d0937974819e8e9340e07 100644 (file)
--- a/drivers/staging/rtl8723bs/core/rtw_mlme_ext.c
+++ b/drivers/staging/rtl8723bs/core/rtw_mlme_ext.c
@@ -1028,6 +1028,9 @@ unsigned int OnAssocReq(struct adapter *padapter, union recv_frame *precv_frame)
                status = WLAN_STATUS_CHALLENGE_FAIL;
                goto OnAssocReqFail;
        } else {
+               if (ie_len > sizeof(supportRate))
+                       ie_len = sizeof(supportRate);
+
                memcpy(supportRate, p+2, ie_len);
                supportRateNum = ie_len;
 
@@ -1035,7 +1038,7 @@ unsigned int OnAssocReq(struct adapter *padapter, union recv_frame *precv_frame)
                                pkt_len - WLAN_HDR_A3_LEN - ie_offset);
                if (p) {
 
-                       if (supportRateNum <= sizeof(supportRate)) {
+                       if (supportRateNum + ie_len <= sizeof(supportRate)) {
                                memcpy(supportRate+supportRateNum, p+2, ie_len);
                                supportRateNum += ie_len;
                        }