summaryrefslogtreecommitdiff
path: root/rust/zerocopy/git@git.tavy.me:linux-stable.git
diff options
context:
space:
mode:
authorAlexandru Hossu <hossu.alexandru@gmail.com>2026-05-22 02:45:27 +0200
committerGreg Kroah-Hartman <gregkh@linuxfoundation.org>2026-07-07 13:43:16 +0200
commit5a752a616e756844388a1a45404db9fc29fec655 (patch)
treec889b886123cc307b1682d3023994d2fb1d39169 /rust/zerocopy/git@git.tavy.me:linux-stable.git
parentef61d628dfad38fead1fd2e08979ae9126d011d5 (diff)
staging: rtl8723bs: fix heap buffer overflow in rtw_cfg80211_set_wpa_ie()
supplicant_ie is a 256-byte array in struct security_priv. The WPA and WPA2 IE copy paths use: memcpy(padapter->securitypriv.supplicant_ie, &pwpa[0], wpa_ielen + 2); where wpa_ielen is the raw IE length field (u8, 0-255). When a local user supplies a connect request via nl80211 with a crafted WPA IE of length 255, wpa_ielen + 2 equals 257, overflowing the 256-byte buffer by one byte into the adjacent last_mic_err_time field. rtw_parse_wpa_ie() does not prevent this: its length consistency check compares *(wpa_ie+1) against (u8)(wpa_ie_len-2), which is (u8)(255) == 255 when wpa_ie_len = 257, so the check passes silently. Add explicit bounds checks for both the WPA and WPA2 paths before the memcpy, rejecting any IE whose total size (wpa_ielen + 2) exceeds the supplicant_ie buffer. Fixes: 554c0a3abf21 ("staging: Add rtl8723bs sdio wifi driver") Cc: stable <stable@kernel.org> Reviewed-by: Luka Gejak <luka.gejak@linux.dev> Signed-off-by: Alexandru Hossu <hossu.alexandru@gmail.com> Link: https://patch.msgid.link/20260522004531.1038924-4-hossu.alexandru@gmail.com Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Diffstat (limited to 'rust/zerocopy/git@git.tavy.me:linux-stable.git')
0 files changed, 0 insertions, 0 deletions