staging: rtl8723bs: fix stack buffer overflow in OnAssocReq IE parsing - kernel/linux.git

diff options

author	Navaneeth K <knavaneeth786@gmail.com>	2025-11-20 19:33:08 +0300
committer	Greg Kroah-Hartman <gregkh@linuxfoundation.org>	2025-12-12 20:40:23 +0300
commit	25411f5fcf5743131158f337c99c2bbf3f8477f5 (patch)
tree	2c70d21162d18aaa0613bafcb8f5a1a7c25fc646 /include/linux/overflow.h
parent	df191dd9f4c7249d98ada55634fa8ac19089b8cb (diff)
download	linux-25411f5fcf5743131158f337c99c2bbf3f8477f5.tar.xz

staging: rtl8723bs: fix stack buffer overflow in OnAssocReq IE parsing

commit 6ef0e1c10455927867cac8f0ed6b49f328f8cf95 upstream. The Supported Rates IE length from an incoming Association Request frame was used directly as the memcpy() length when copying into a fixed-size 16-byte stack buffer (supportRate). A malicious station can advertise an IE length larger than 16 bytes, causing a stack buffer overflow. Clamp ie_len to the buffer size before copying the Supported Rates IE, and correct the bounds check when merging Extended Supported Rates to prevent a second potential overflow. This prevents kernel stack corruption triggered by malformed association requests. Signed-off-by: Navaneeth K <knavaneeth786@gmail.com> Cc: stable <stable@kernel.org> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

Diffstat (limited to 'include/linux/overflow.h')

0 files changed, 0 insertions, 0 deletions


context:
space:
mode: