On Thu, Jan 29, 2026 at 02:23:51PM +0100, Luka Gejak wrote:
> Add a length check before accessing the OUI in WMM
> IE to prevent potential out-of-bounds reads.
Is this really a bugfix? if so, it needs to go first, and be tagged for
stable trees.
> Use memcmp() for better readability.
>
> Fixes: 554c0a3abf21 ("staging: Add rtl8723bs sdio wifi driver")
>
> Signed-off-by: Luka Gejak <lukagejak5@gmail.com>
> ---
> drivers/staging/rtl8723bs/core/rtw_mlme.c | 3 ++-
> 1 file changed, 2 insertions(+), 1 deletion(-)
>
> diff --git a/drivers/staging/rtl8723bs/core/rtw_mlme.c b/drivers/staging/rtl8723bs/core/rtw_mlme.c
> index c4f58106b3bd..18a70879f78f 100644
> --- a/drivers/staging/rtl8723bs/core/rtw_mlme.c
> +++ b/drivers/staging/rtl8723bs/core/rtw_mlme.c
> @@ -2000,7 +2000,8 @@ int rtw_restruct_wmm_ie(struct adapter *adapter, u8 *in_ie, u8 *out_ie, uint in_
> while (i < in_len) {
> ielength = initial_out_len;
>
> - if (in_ie[i] == 0xDD && in_ie[i+2] == 0x00 && in_ie[i+3] == 0x50 && in_ie[i+4] == 0xF2 && in_ie[i+5] == 0x02 && i+5 < in_len) { /* WMM element ID and OUI */
> + if (i + 5 < in_len && in_ie[i] == 0xDD &&
> + !memcmp(&in_ie[i + 2], "\x00\x50\xf2\x02", 4)) {
Very odd indentation :(
Also, why invert the i+5 check? And the memcmp check is now messier
than the original.
And is that where you are saying this is a security fix? If so, it's
just a read, not a write, so what is the security issue?
thanks,
greg k-h