summaryrefslogtreecommitdiff
path: root/rust/zerocopy/git@git.tavy.me:linux-stable.git
diff options
context:
space:
mode:
authorAlexandru Hossu <hossu.alexandru@gmail.com>2026-05-22 02:46:05 +0200
committerGreg Kroah-Hartman <gregkh@linuxfoundation.org>2026-07-07 13:42:23 +0200
commita1fc19d61f661d47204f095b593de507884849f7 (patch)
tree04a8b1411816ce38e9e431d27a870ef67efe22a3 /rust/zerocopy/git@git.tavy.me:linux-stable.git
parent151edde741f8bc7f2931c5f44ab376d32b0c8beb (diff)
staging: rtl8723bs: fix WEP length underflow and OOB read in OnAuth()
OnAuth() has two bugs in the shared-key authentication path. When the Privacy bit is set, rtw_wep_decrypt() is called without verifying that the frame is long enough to contain a valid WEP IV and ICV. Inside rtw_wep_decrypt(), length is computed as: length = len - WLAN_HDR_A3_LEN - iv_len and then passed as (length - 4) to crc32_le(). If len is less than WLAN_HDR_A3_LEN + iv_len + icv_len (32 bytes), length - 4 is negative and, after the implicit cast to size_t, causes crc32_le() to read far beyond the frame buffer. Add a minimum length check before accessing the IV field and calling the decryption path. When processing a seq=3 response, rtw_get_ie() stores the Challenge Text IE length in ie_len, but the subsequent memcmp() always reads 128 bytes regardless of ie_len. IEEE 802.11 mandates a challenge text of exactly 128 bytes; reject any IE whose length field differs, matching the check already applied to OnAuthClient(). Fixes: 554c0a3abf21 ("staging: Add rtl8723bs sdio wifi driver") Cc: stable <stable@kernel.org> Signed-off-by: Alexandru Hossu <hossu.alexandru@gmail.com> Link: https://patch.msgid.link/20260522004605.1039209-1-hossu.alexandru@gmail.com Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Diffstat (limited to 'rust/zerocopy/git@git.tavy.me:linux-stable.git')
0 files changed, 0 insertions, 0 deletions