From nobody Mon Feb 9 14:31:24 2026 Received: from out-179.mta1.migadu.com (out-179.mta1.migadu.com [95.215.58.179]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id 86452314A90 for ; Sun, 8 Feb 2026 11:01:41 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=95.215.58.179 ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1770548501; cv=none; b=MFy63CAgHsy5EbzSJivKALru/OOR0uWvu+I9oQ2KywSNmuL2Z8KiKVuWxvc0A/cSwoZydEdvvMj14hS3Mf+PoN4keIbmmhokKovnOXr/rKm/ckhFn0AuYrTCqtD6b9sfQA0HTKw6zNmGYXJCPSMhjfWyghHjl4c8K6HksU47f2I= ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1770548501; c=relaxed/simple; bh=jubLtVEu6Ee5Tq3pWfE33SMZkOBCRpemyjW4LnoYhUg=; h=From:To:Cc:Subject:Date:Message-ID:In-Reply-To:References: MIME-Version; b=WtposmXSifhk2LD8WjH8huLHDVb6JbiaSnYuN/4xDhjYmZ9puM6SU8j21mjKO1xnO6AY615OVTBwp3Jwy4De3rDOicnvBH3iGRCo8wz3Wbkk9WtHqtr/ggj5c9GDnV7RSXOm+A7drTBXvk9RLwTx4iqdmydWwKsShQxR2jYTlQ0= ARC-Authentication-Results: i=1; smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=linux.dev; spf=pass smtp.mailfrom=linux.dev; dkim=pass (1024-bit key) header.d=linux.dev header.i=@linux.dev header.b=HKx/PCP6; arc=none smtp.client-ip=95.215.58.179 Authentication-Results: smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=linux.dev Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=linux.dev Authentication-Results: smtp.subspace.kernel.org; dkim=pass (1024-bit key) header.d=linux.dev header.i=@linux.dev header.b="HKx/PCP6" X-Report-Abuse: Please report any abuse attempt to abuse@migadu.com and include these headers. DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=linux.dev; s=key1; t=1770548499; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:cc:mime-version:mime-version: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references; bh=LGyONV70NmVe5kpayBnmvTC97UZ6lGVsIJWAjpQVfUU=; b=HKx/PCP64mk00pM9/0Wr074xjJCSq6WBour9rO5I7e+aMWla7CV30C4CfDqX2BJh0CPWaV sd88iuSM6WH3yD2Ffj9lossl0qXjmo7MmsL4n4XNC8cs+pItNSNfpPhCqwqwPZcPjvpwY8 95jHySwvvlcCtuJW4ozSOzeWleFw9Ic= From: luka.gejak@linux.dev To: Greg Kroah-Hartman Cc: Dan Carpenter , linux-staging@lists.linux.dev, linux-kernel@vger.kernel.org, Luka Gejak , stable@vger.kernel.org Subject: [PATCH v3 01/22] staging: rtl8723bs: fix potential out-of-bounds read in rtw_restruct_wmm_ie Date: Sun, 8 Feb 2026 12:00:50 +0100 Message-ID: <20260208110111.46642-2-luka.gejak@linux.dev> In-Reply-To: <20260208110111.46642-1-luka.gejak@linux.dev> References: <20260208110111.46642-1-luka.gejak@linux.dev> Precedence: bulk X-Mailing-List: linux-kernel@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 Content-Transfer-Encoding: quoted-printable X-Migadu-Flow: FLOW_OUT Content-Type: text/plain; charset="utf-8" From: Luka Gejak The current code checks 'i + 5 < in_len' at the end of the if statement. However, it accesses 'in_ie[i + 5]' before that check, which can lead to an out-of-bounds read. Move the length check to the beginning of the conditional to ensure the index is within bounds before accessing the array. Fixes: 554c0a3abf21 ("staging: Add rtl8723bs sdio wifi driver") Cc: stable@vger.kernel.org Signed-off-by: Luka Gejak --- drivers/staging/rtl8723bs/core/rtw_mlme.c | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) diff --git a/drivers/staging/rtl8723bs/core/rtw_mlme.c b/drivers/staging/rt= l8723bs/core/rtw_mlme.c index 22dc36e8e38a..2bd6f5367bdc 100644 --- a/drivers/staging/rtl8723bs/core/rtw_mlme.c +++ b/drivers/staging/rtl8723bs/core/rtw_mlme.c @@ -1988,7 +1988,10 @@ int rtw_restruct_wmm_ie(struct adapter *adapter, u8 = *in_ie, u8 *out_ie, uint in_ while (i < in_len) { ielength =3D initial_out_len; =20 - if (in_ie[i] =3D=3D 0xDD && in_ie[i + 2] =3D=3D 0x00 && in_ie[i + 3] =3D= =3D 0x50 && in_ie[i + 4] =3D=3D 0xF2 && in_ie[i + 5] =3D=3D 0x02 && i + 5 = < in_len) { /* WMM element ID and OUI */ + if (i + 5 < in_len && + in_ie[i] =3D=3D 0xDD && in_ie[i + 2] =3D=3D 0x00 && + in_ie[i + 3] =3D=3D 0x50 && in_ie[i + 4] =3D=3D 0xF2 && + in_ie[i + 5] =3D=3D 0x02) { for (j =3D i; j < i + 9; j++) { out_ie[ielength] =3D in_ie[j]; ielength++; --=20 2.52.0