diff options
| author | Alexandru Hossu <hossu.alexandru@gmail.com> | 2026-05-22 02:45:27 +0200 |
|---|---|---|
| committer | Greg Kroah-Hartman <gregkh@linuxfoundation.org> | 2026-07-07 13:43:16 +0200 |
| commit | 5a752a616e756844388a1a45404db9fc29fec655 (patch) | |
| tree | c889b886123cc307b1682d3023994d2fb1d39169 /rust/zerocopy/src/git@git.tavy.me:linux-stable.git | |
| parent | ef61d628dfad38fead1fd2e08979ae9126d011d5 (diff) | |
staging: rtl8723bs: fix heap buffer overflow in rtw_cfg80211_set_wpa_ie()
supplicant_ie is a 256-byte array in struct security_priv. The WPA and
WPA2 IE copy paths use:
memcpy(padapter->securitypriv.supplicant_ie, &pwpa[0], wpa_ielen + 2);
where wpa_ielen is the raw IE length field (u8, 0-255). When a local user
supplies a connect request via nl80211 with a crafted WPA IE of length 255,
wpa_ielen + 2 equals 257, overflowing the 256-byte buffer by one byte into
the adjacent last_mic_err_time field.
rtw_parse_wpa_ie() does not prevent this: its length consistency check
compares *(wpa_ie+1) against (u8)(wpa_ie_len-2), which is (u8)(255) == 255
when wpa_ie_len = 257, so the check passes silently.
Add explicit bounds checks for both the WPA and WPA2 paths before the
memcpy, rejecting any IE whose total size (wpa_ielen + 2) exceeds the
supplicant_ie buffer.
Fixes: 554c0a3abf21 ("staging: Add rtl8723bs sdio wifi driver")
Cc: stable <stable@kernel.org>
Reviewed-by: Luka Gejak <luka.gejak@linux.dev>
Signed-off-by: Alexandru Hossu <hossu.alexandru@gmail.com>
Link: https://patch.msgid.link/20260522004531.1038924-4-hossu.alexandru@gmail.com
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Diffstat (limited to 'rust/zerocopy/src/git@git.tavy.me:linux-stable.git')
0 files changed, 0 insertions, 0 deletions
