Commit 6ef0e1c1 authored Nov 20, 2025 by Navaneeth K Committed by Greg Kroah-Hartman Nov 27, 2025

staging: rtl8723bs: fix stack buffer overflow in OnAssocReq IE parsing



The Supported Rates IE length from an incoming Association Request frame
was used directly as the memcpy() length when copying into a fixed-size
16-byte stack buffer (supportRate). A malicious station can advertise an
IE length larger than 16 bytes, causing a stack buffer overflow.

Clamp ie_len to the buffer size before copying the Supported Rates IE,
and correct the bounds check when merging Extended Supported Rates to
prevent a second potential overflow.

This prevents kernel stack corruption triggered by malformed association
requests.

Signed-off-by: Navaneeth K <knavaneeth786@gmail.com>
Cc: stable <stable@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

parent 154828bf

drivers/staging/rtl8723bs/core/rtw_mlme_ext.c

+4 −1

Original line number	Diff line number	Diff line
		@@ -1028,6 +1028,9 @@ unsigned int OnAssocReq(struct adapter padapter, union recv_frame precv_frame)
		status = WLAN_STATUS_CHALLENGE_FAIL;
		goto OnAssocReqFail;
		} else {
		if (ie_len > sizeof(supportRate))
		ie_len = sizeof(supportRate);

		memcpy(supportRate, p+2, ie_len);
		supportRateNum = ie_len;

		@@ -1035,7 +1038,7 @@ unsigned int OnAssocReq(struct adapter padapter, union recv_frame precv_frame)
		pkt_len - WLAN_HDR_A3_LEN - ie_offset);
		if (p) {

		if (supportRateNum <= sizeof(supportRate)) {
		if (supportRateNum + ie_len <= sizeof(supportRate)) {
		memcpy(supportRate+supportRateNum, p+2, ie_len);
		supportRateNum += ie_len;
		}