The Extended Supported Rates (ESR) IE handling in OnBeacon accessed
*(p + 1 + ielen) and *(p + 2 + ielen) without verifying that these
offsets lie within the received frame buffer. A malformed beacon with
an ESR IE positioned at the end of the buffer could cause an
out-of-bounds read, potentially triggering a kernel panic.
Add a boundary check to ensure that the ESR IE body and the subsequent
bytes are within the limits of the frame before attempting to access
them.
This prevents OOB reads caused by malformed beacon frames.
Signed-off-by: Navaneeth K <knavaneeth786@gmail.com>
Cc: stable <stable@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
The Supported Rates IE length from an incoming Association Request frame
was used directly as the memcpy() length when copying into a fixed-size
16-byte stack buffer (supportRate). A malicious station can advertise an
IE length larger than 16 bytes, causing a stack buffer overflow.
Clamp ie_len to the buffer size before copying the Supported Rates IE,
and correct the bounds check when merging Extended Supported Rates to
prevent a second potential overflow.
This prevents kernel stack corruption triggered by malformed association
requests.
Signed-off-by: Navaneeth K <knavaneeth786@gmail.com>
Cc: stable <stable@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
The Information Element (IE) parser rtw_get_ie() trusted the length
byte of each IE without validating that the IE body (len bytes after
the 2-byte header) fits inside the remaining frame buffer. A malformed
frame can advertise an IE length larger than the available data, causing
the parser to increment its pointer beyond the buffer end. This results
in out-of-bounds reads or, depending on the pattern, an infinite loop.
Fix by validating that (offset + 2 + len) does not exceed the limit
before accepting the IE or advancing to the next element.
This prevents OOB reads and ensures the parser terminates safely on
malformed frames.
Signed-off-by: Navaneeth K <knavaneeth786@gmail.com>
Cc: stable <stable@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Replaces multiple memcpy() calls with ether_addr_copy() for copying
MAC/Ethernet addresses in rtl8723bs. This improves readability and
aligns with Linux kernel best practices for handling Ethernet addresses.
Fixes the following checkpatch.pl warning:
"Use ether_addr_copy() instead of memcpy() for Ethernet addresses."
These updates enhance code clarity and maintain consistency with
network driver conventions.
Signed-off-by: Dharanitharan R <dharanitharan725@gmail.com>
Link: https://patch.msgid.link/20251023145903.2557-1-dharanitharan725@gmail.com
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Rename two functions from camel case to snake case to follow kernel
style.
- `UpdateBrateTbl` to `update_basic_rate_table`
- `UpdateBrateTblForSoftAP` to `update_basic_rate_table_soft_ap`
Signed-off-by: Bryant Boatright <bryant.boatright@proton.me>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Use a random mac address if we cannot load it from the efuses.
Do not use a constant mac address as fallback. This may create conflicts
if we have several rtl8723bs devices on the network.
Signed-off-by: Michael Straube <straube.linux@gmail.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
This patch fixes instances of comment lines in rtw_ap.c that exceeded the
recommended 80–100 character limit. The affected comments were reflowed
to span multiple lines, each starting with " * " as per kernel coding
style guidelines.
These are coding style cleanups only. No functional changes.
Signed-off-by: Rohan Tripathi <trohan2000@gmail.com>
Link: https://lore.kernel.org/r/20251007091303.491115-6-trohan2000@gmail.com
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
This patch removes cases where code lines began with an opening
parenthesis or alignment issue, which is against kernel coding style. The affected
expressions have been reformatted so that continuation lines align
with the opening parenthesis of the statement.
This is a coding style cleanup only. No functional changes.
Signed-off-by: Rohan Tripathi <trohan2000@gmail.com>
Link: https://lore.kernel.org/r/20251007091303.491115-4-trohan2000@gmail.com
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
This patch removes a commented-out assignment to
psta->dot118021XPrivacy in rtw_ap.c. The comment indicates
that the statement is no longer needed, so keeping it adds
no value.
Removing this line (and the superfluous blank line that
remained with it) improves code readability and matches
kernel coding style.
This is a cleanup only. No functional changes.
Signed-off-by: Rohan Tripathi <trohan2000@gmail.com>
Link: https://lore.kernel.org/r/20251007091303.491115-3-trohan2000@gmail.com
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Pull staging driver updates from Greg KH:
"Here is the 'big' set of staging driver changes for 6.18-rc1. Nothing
really exciting in here they pretty much consist of:
- minor coding style changes and cleanups
- some api layer removals where not needed
Overall a quiet development cycle.
All have been in linux-next for a while with no reported issues"
* tag 'staging-6.18-rc1' of git://git.kernel.org/pub/scm/linux/kernel/git/gregkh/staging: (63 commits)
staging: rtl8723bs: xmit: rephrase comment and drop extra space
staging: sm750fb: rename camel case variable
staging: rtl8723bs: hal: put return type and function name on one line
staging: rtl8723bs: fix typo in comment
staging: sm750fb: rename snake case variables
staging: sm750fb: remove unnecessary volatile qualifiers
staging: rtl8723bs: rtw_efuse.h: simplify copyright banner
staging: rtl8723bs: remove unused tables
staging: rtl8723bs: Hal_EfuseParseAntennaDiversity_8723B is empty
staging: rtl8723bs: remove REG_EFUSE_ACCESS_8723 and EFUSE_ACCESS_ON_8723
staging: rtl8723bs: remove bWrite from Hal_EfusePowerSwitch
staging: rtl8723bs: remove wrapper Efuse_PowerSwitch
staging: octeon: Clean up dead code in ethernet-tx.c
staging: rtl8723bs: fix fortify warnings by using struct_group
staging: gpib: use int type to store negative error codes
staging: rtl8723bs: remove include/recv_osdep.h
staging: rtl8723bs: remove os_dep/recv_linux.c
staging: rtl8723bs: rename rtw_os_recv_indicate_pkt
staging: rtl8723bs: move rtw_os_recv_indicate_pkt to rtw_recv.c
staging: rtl8723bs: rename rtw_os_alloc_msdu_pkt
...
The macros REG_EFUSE_ACCESS_8723 and EFUSE_ACCESS_ON_8723 are redundant,
both are already defined in header files without the _8723 suffix. Remove
them and use the marcos from the header files.
rtl8723b_hal.h:138:
#define EFUSE_ACCESS_ON 0x69 /* For RTL8723 only. */
hal_com_reg.h:35:
#define REG_EFUSE_ACCESS 0x00CF /* Efuse access protection for RTL8723 */
Signed-off-by: Michael Straube <straube.linux@gmail.com>
Tested-by: Philipp Hortmann <philipp.g.hortmann@gmail.com> # Trendbook Next 14
Link: https://lore.kernel.org/r/20250824095830.79233-4-straube.linux@gmail.com
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Fix fortify_memcpy_chk warnings in rtw_BIP_verify() and
rtw_mgmt_xmitframe_coalesce() functions by using struct_group
to access consecutive address fields.
Changed memcpy calls to use &hdr->addrs instead of hdr->addr1
when copying 18 bytes (addr1 + addr2 + addr3).
This resolves 'detected read beyond size of field' warnings
by using the proper struct_group mechanism as suggested by
the compiler.
Signed-off-by: yingche <zxcv2569763104@gmail.com>
Reviewed-by: Dan Carpenter <dan.carpenter@linaro.org>
Link: https://lore.kernel.org/r/20250829040906.895221-1-zxcv2569763104@gmail.com
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
