[PATCH] staging: rtl8723bs: fix frame length underflow in OnAuthClient

Next message: Chao Gao: "Re: [PATCH v7 11/22] x86/virt/seamldr: Shut down the current TDX module"
Previous message: Thomas Wei&#xDF;schuh: "Re: [PATCH 1/7] x86/vdso: Respect COMPAT_32BIT_TIME"
In reply to: Alexandru Hossu: "Re: [PATCH] staging: rtl8723bs: fix heap overflow in OnAuthClient shared key path"
Next in thread: Dan Carpenter: "Re: [PATCH] staging: rtl8723bs: fix frame length underflow in OnAuthClient"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

From: Alexandru Hossu

Date: Tue Apr 14 2026 - 06:19:12 EST

If pkt_len is less than WLAN_HDR_A3_LEN + offset + 6, the reads of
the seq and status fields go beyond the frame buffer. Additionally,
when pkt_len < WLAN_HDR_A3_LEN + _AUTH_IE_OFFSET_ (30 bytes), the
subtraction passed to rtw_get_ie() wraps around since pkt_len is
unsigned, causing rtw_get_ie() to scan well past the end of the buffer.

Add a minimum length check after computing offset to reject frames
that are too short before any fixed field access.

Reported-by: Dan Carpenter <error27@xxxxxxxxx>
Fixes: 554c0a3abf21 ("staging: Add rtl8723bs sdio wifi driver")
Cc: stable@xxxxxxxxxxxxxxx
Signed-off-by: Alexandru Hossu <hossu.alexandru@xxxxxxxxx>
---
drivers/staging/rtl8723bs/core/rtw_mlme_ext.c | 3 +++
1 file changed, 3 insertions(+)

diff --git a/drivers/staging/rtl8723bs/core/rtw_mlme_ext.c b/drivers/staging/rtl8723bs/core/rtw_mlme_ext.c
index 90f27665667a..6b0ac54ad3d4 100644
--- a/drivers/staging/rtl8723bs/core/rtw_mlme_ext.c
+++ b/drivers/staging/rtl8723bs/core/rtw_mlme_ext.c
@@ -869,6 +869,9 @@ unsigned int OnAuthClient(struct adapter *padapter, union recv_frame *precv_fram

offset = (GetPrivacy(pframe)) ? 4 : 0;

+ if (pkt_len < WLAN_HDR_A3_LEN + offset + 6)
+ goto authclnt_fail;
+
seq = le16_to_cpu(*(__le16 *)((SIZE_PTR)pframe + WLAN_HDR_A3_LEN + offset + 2));
status = le16_to_cpu(*(__le16 *)((SIZE_PTR)pframe + WLAN_HDR_A3_LEN + offset + 4));

--
2.53.0