staging: rtl8723bs: fix stack buffer overflow in OnAssocReq IE parsing - linux - Mirror of https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/

diff options

author	Navaneeth K <knavaneeth786@gmail.com>	2025-11-20 16:33:08 +0000
committer	Greg Kroah-Hartman <gregkh@linuxfoundation.org>	2025-11-27 15:16:34 +0100
commit	6ef0e1c10455927867cac8f0ed6b49f328f8cf95 (patch)
tree	fb8a32831e648c33f05873447d91317d122d30d2 /tools/perf/scripts/python
parent	staging: rtl8723bs: fix out-of-bounds read in rtw_get_ie() parser (diff)
download	linux-6ef0e1c10455927867cac8f0ed6b49f328f8cf95.tar.gz linux-6ef0e1c10455927867cac8f0ed6b49f328f8cf95.zip

staging: rtl8723bs: fix stack buffer overflow in OnAssocReq IE parsing

The Supported Rates IE length from an incoming Association Request frame was used directly as the memcpy() length when copying into a fixed-size 16-byte stack buffer (supportRate). A malicious station can advertise an IE length larger than 16 bytes, causing a stack buffer overflow. Clamp ie_len to the buffer size before copying the Supported Rates IE, and correct the bounds check when merging Extended Supported Rates to prevent a second potential overflow. This prevents kernel stack corruption triggered by malformed association requests. Signed-off-by: Navaneeth K <knavaneeth786@gmail.com> Cc: stable <stable@kernel.org> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

Diffstat (limited to 'tools/perf/scripts/python')

0 files changed, 0 insertions, 0 deletions


context:
space:
mode: