staging: rtl8723bs: fix stack buffer overflow in OnAssocReq IE parsing - user/sven/linux.git

diff options

author	Navaneeth K <knavaneeth786@gmail.com>	2025-11-20 16:33:08 +0000
committer	Greg Kroah-Hartman <gregkh@linuxfoundation.org>	2025-11-27 15:16:34 +0100
commit	6ef0e1c10455927867cac8f0ed6b49f328f8cf95 (patch)
tree	fb8a32831e648c33f05873447d91317d122d30d2 /scripts/gdb/linux/radixtree.py
parent	154828bf9559b9c8421fc2f0d7f7f76b3683aaed (diff)

staging: rtl8723bs: fix stack buffer overflow in OnAssocReq IE parsing

The Supported Rates IE length from an incoming Association Request frame was used directly as the memcpy() length when copying into a fixed-size 16-byte stack buffer (supportRate). A malicious station can advertise an IE length larger than 16 bytes, causing a stack buffer overflow. Clamp ie_len to the buffer size before copying the Supported Rates IE, and correct the bounds check when merging Extended Supported Rates to prevent a second potential overflow. This prevents kernel stack corruption triggered by malformed association requests. Signed-off-by: Navaneeth K <knavaneeth786@gmail.com> Cc: stable <stable@kernel.org> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

Diffstat (limited to 'scripts/gdb/linux/radixtree.py')

0 files changed, 0 insertions, 0 deletions


context:
space:
mode: