Re: [PATCH] staging: rtl8723bs: fix integer underflow in TKIP MIC verification

Next message: Delene Tchio Romuald: "[PATCH] staging: rtl8723bs: fix out-of-bounds read in portctrl()"
Previous message: Ethan Tidmore: "Re: [PATCH] staging: rtl8723bs: fix out-of-bounds reads in IE parsing functions"
In reply to: Delene Tchio Romuald: "[PATCH] staging: rtl8723bs: fix integer underflow in TKIP MIC verification"
Next in thread: Delene Tchio Romuald: "[PATCH v2] staging: rtl8723bs: fix integer underflow in TKIP MIC verification"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

From: Ethan Tidmore

Date: Sat Apr 04 2026 - 19:15:00 EST

On Sat Apr 4, 2026 at 5:57 PM CDT, Delene Tchio Romuald wrote:
> In recvframe_chkmic(), datalen is computed as:
>
> datalen = len - hdrlen - iv_len - icv_len - 8;
>
> All operands are unsigned, so if the frame is shorter than the sum of
> header, IV, ICV, and MIC lengths, the subtraction wraps to a very
> large value. This corrupted datalen is then passed to
> rtw_seccalctkipmic() and used as a pointer offset, leading to
> out-of-bounds reads on kernel heap memory.
>
> Add a minimum frame length check before the subtraction to prevent
> the unsigned integer underflow.
>
> Cc: stable@xxxxxxxxxxxxxxx
> Signed-off-by: Delene Tchio Romuald <delenetchior1@xxxxxxxxx>
> ---

Doesn't apply to staging-next.

Thanks,

ET