jsauer/torvalds-linux
1
0
Fork 0
mirror of https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git synced 2026-01-11 17:10:13 +00:00
Code

staging: rtl8723bs: fix stack buffer overflow in OnAssocReq IE parsing

Browse Source 
The Supported Rates IE length from an incoming Association Request frame
was used directly as the memcpy() length when copying into a fixed-size
16-byte stack buffer (supportRate). A malicious station can advertise an
IE length larger than 16 bytes, causing a stack buffer overflow.

Clamp ie_len to the buffer size before copying the Supported Rates IE,
and correct the bounds check when merging Extended Supported Rates to
prevent a second potential overflow.

This prevents kernel stack corruption triggered by malformed association
requests.

Signed-off-by: Navaneeth K <knavaneeth786@gmail.com>
Cc: stable <stable@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
This commit is contained in:
Navaneeth K 2025-11-20 16:33:08 +00:00 committed by Greg Kroah-Hartman
parent 154828bf95
commit 6ef0e1c104
1 changed files with 4 additions and 1 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

5
drivers/staging/rtl8723bs/core/rtw_mlme_ext.c
View File

@ -1028,6 +1028,9 @@ unsigned int OnAssocReq(struct adapter *padapter, union recv_frame *precv_frame)
status = WLAN_STATUS_CHALLENGE_FAIL;
goto OnAssocReqFail;
} else {
if (ie_len > sizeof(supportRate))
ie_len = sizeof(supportRate);
memcpy(supportRate, p+2, ie_len);
supportRateNum = ie_len;
@ -1035,7 +1038,7 @@ unsigned int OnAssocReq(struct adapter *padapter, union recv_frame *precv_frame)
pkt_len - WLAN_HDR_A3_LEN - ie_offset);
if (p) {
if (supportRateNum <= sizeof(supportRate)) {
if (supportRateNum + ie_len <= sizeof(supportRate)) {
memcpy(supportRate+supportRateNum, p+2, ie_len);
supportRateNum += ie_len;
}