lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Message-ID: <20260122041450.2325560-4-s9430939@naver.com>
Date: Thu, 22 Jan 2026 13:14:50 +0900
From: Minu Jin <s9430939@...er.com>
To: gregkh@...uxfoundation.org
Cc: andriy.shevchenko@...ux.intel.com,
	abrahamadekunle50@...il.com,
	zxcv2569763104@...il.com,
	milospuric856@...il.com,
	karanja99erick@...il.com,
	weibu@...admin.org,
	dan.carpenter@...aro.org,
	linux-staging@...ts.linux.dev,
	linux-kernel@...r.kernel.org,
	Minu Jin <s9430939@...er.com>
Subject: [PATCH v5 3/3] staging: rtl8723bs: prevent partial reads in _rtw_pktfile_read

The current implementation of _rtw_pktfile_read() allows reading less
data than requested if there isn't enough data remaining.

This is problematic because callers usually request a fixed size (like
a header size) and expect that full amount. Reading only part of the
data means the caller gets incomplete information, which can lead to
errors in packet processing.

To fix this, update the function to:
1. Return -EINVAL if the remaining data is smaller than the requested
   length.
2. Check the return value of skb_copy_bits() and propagate errors.
3. Only update the internal pointers (cur_addr, pkt_len) if the read
   is fully successful.

Callers have already been updated in previous patches to handle these
negative error codes.

Signed-off-by: Minu Jin <s9430939@...er.com>
---
 drivers/staging/rtl8723bs/os_dep/xmit_linux.c | 13 ++++++-------
 1 file changed, 6 insertions(+), 7 deletions(-)

diff --git a/drivers/staging/rtl8723bs/os_dep/xmit_linux.c b/drivers/staging/rtl8723bs/os_dep/xmit_linux.c
index ea54a573e025..72cf8cd5f7c6 100644
--- a/drivers/staging/rtl8723bs/os_dep/xmit_linux.c
+++ b/drivers/staging/rtl8723bs/os_dep/xmit_linux.c
@@ -23,21 +23,20 @@ void _rtw_open_pktfile(struct sk_buff *pktptr, struct pkt_file *pfile)
 
 int _rtw_pktfile_read(struct pkt_file *pfile, u8 *rmem, unsigned int rlen)
 {
-	unsigned int len;
 	int ret;
 
-	len =  rtw_remainder_len(pfile);
- 	len = (rlen > len) ? len : rlen;
+	if (rtw_remainder_len(pfile) < rlen)
+		return -EINVAL;
 
 	if (rmem) {
-		ret = skb_copy_bits(pfile->pkt, pfile->buf_len - pfile->pkt_len, rmem, len);
+		ret = skb_copy_bits(pfile->pkt, pfile->buf_len - pfile->pkt_len, rmem, rlen);
 		if (ret < 0)
 			return ret;
 	}
 
-	pfile->cur_addr += len;
-	pfile->pkt_len -= len;
-	return len;
+	pfile->cur_addr += rlen;
+	pfile->pkt_len -= rlen;
+	return rlen;
 }
 
 signed int rtw_endofpktfile(struct pkt_file *pfile)
-- 
2.43.0

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ