From nobody Thu Apr  2 09:23:29 2026
Received: from mail78-59.sinamail.sina.com.cn (mail78-59.sinamail.sina.com.cn
 [219.142.78.59])
	(using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits))
	(No client certificate requested)
	by smtp.subspace.kernel.org (Postfix) with ESMTPS id 72ABA28C87C
	for <linux-kernel@vger.kernel.org>; Mon, 30 Mar 2026 03:12:46 +0000 (UTC)
Authentication-Results: smtp.subspace.kernel.org;
 arc=none smtp.client-ip=219.142.78.59
ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116;
	t=1774840371; cv=none;
 b=LzDSDb1GlkaJzxuGb9icu3ZpzzvjRuTwPF6hu8CvL/LjAYYsdgsPsB/0jvf34hAZkcxTxBsIi2ErZR2vkWBurB/O0gH/f+U8IsDoSvnA9HxMgx9uqqa6e4Knjia189XR0G1NW7liaNsCW7f2EN/oz/cP190q154G0ASI6u5lA+4=
ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org;
	s=arc-20240116; t=1774840371; c=relaxed/simple;
	bh=RFRkg9vvZtCs5ostsZHn+LIqfiDU8ZmDXzwHELhjShI=;
	h=From:To:Cc:Subject:Date:Message-Id:MIME-Version;
 b=Fj1WwivvwpSk8jJzM+FJ+dJD50tzNO80KkxQ/eWpyT13IsucbfDTVta6WVnnhDyMBNcyJ1/g+Y1kAf120Bq2VE+Qp7ZyEydSwp/AuNFtp0bLHpoLeu0t3KwoRVLzvFWVa58M9GJK2hdohix6/WTBa3zSMFSrWOm3T547vf+FGTg=
ARC-Authentication-Results: i=1; smtp.subspace.kernel.org;
 dmarc=pass (p=none dis=none) header.from=sina.com;
 spf=pass smtp.mailfrom=sina.com;
 dkim=pass (1024-bit key) header.d=sina.com header.i=@sina.com
 header.b=PyKLoa1F; arc=none smtp.client-ip=219.142.78.59
Authentication-Results: smtp.subspace.kernel.org;
 dmarc=pass (p=none dis=none) header.from=sina.com
Authentication-Results: smtp.subspace.kernel.org;
 spf=pass smtp.mailfrom=sina.com
Authentication-Results: smtp.subspace.kernel.org;
	dkim=pass (1024-bit key) header.d=sina.com header.i=@sina.com
 header.b="PyKLoa1F"
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=sina.com; s=201208;
 t=1774840367;
	bh=HZgwcokYZGMuI58MErcHrI7GQr11ufDPTKrmq95paWw=;
	h=From:Subject:Date:Message-Id;
	b=PyKLoa1FRlAw3AQMdJp8/SQtQV0FzC2RX53XHbWXJfRqz95SeU5ZPpVn0dZ3390Ny
	 FC9TGLsVrxBYDRoAIbyi0P2Qu6dLl62fNaPJ42jOcIoAUw3ILwdWyfQNNQju6S6LbS
	 83lOyMJNoqsVjZtCfQhXkIOb0JVX2dijSlJrxYHU=
X-SMAIL-HELO: pek-lpg-core6.wrs.com
Received: from unknown (HELO pek-lpg-core6.wrs.com)([60.247.85.88])
	by sina.com (10.185.250.24) with ESMTP
	id 69C9EA2200004926; Mon, 30 Mar 2026 11:12:38 +0800 (CST)
X-Sender: johnny_haocn@sina.com
X-Auth-ID: johnny_haocn@sina.com
Authentication-Results: sina.com;
	 spf=none smtp.mailfrom=johnny_haocn@sina.com;
	 dkim=none header.i=none;
	 dmarc=none action=none header.from=johnny_haocn@sina.com
X-SMAIL-MID: 0100810747979
X-SMAIL-UIID: D7FF5ED97C9940BFA791BE59584EAD51-20260330-111239-1
From: Johnny Hao <johnny_haocn@sina.com>
To: gregkh@linuxfoundation.org,
	stable@vger.kernel.org
Cc: linux-kernel@vger.kernel.org,
	Navaneeth K <knavaneeth786@gmail.com>,
	stable <stable@kernel.org>,
	Johnny Hao <johnny_haocn@sina.com>
Subject: [PATCH 5.15.y] staging: rtl8723bs: fix out-of-bounds read in
 rtw_get_ie() parser
Date: Mon, 30 Mar 2026 11:12:31 +0800
Message-Id: <20260330031231.1411491-1-johnny_haocn@sina.com>
X-Mailer: git-send-email 2.34.1
Precedence: bulk
X-Mailing-List: linux-kernel@vger.kernel.org
List-Id: <linux-kernel.vger.kernel.org>
List-Subscribe: <mailto:linux-kernel+subscribe@vger.kernel.org>
List-Unsubscribe: <mailto:linux-kernel+unsubscribe@vger.kernel.org>
MIME-Version: 1.0
Content-Transfer-Encoding: quoted-printable
Content-Type: text/plain; charset="utf-8"

From: Navaneeth K <knavaneeth786@gmail.com>

[ Upstream commit 154828bf9559b9c8421fc2f0d7f7f76b3683aaed ]

The Information Element (IE) parser rtw_get_ie() trusted the length
byte of each IE without validating that the IE body (len bytes after
the 2-byte header) fits inside the remaining frame buffer. A malformed
frame can advertise an IE length larger than the available data, causing
the parser to increment its pointer beyond the buffer end. This results
in out-of-bounds reads or, depending on the pattern, an infinite loop.

Fix by validating that (offset + 2 + len) does not exceed the limit
before accepting the IE or advancing to the next element.

This prevents OOB reads and ensures the parser terminates safely on
malformed frames.

Signed-off-by: Navaneeth K <knavaneeth786@gmail.com>
Cc: stable <stable@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
[ The context change is due to the commit 4610e57a7d2e
("staging: rtl8723bs: Remove redundant else branches.") in v5.19
which is irrelevant to the logic of this patch. ]
Signed-off-by: Johnny Hao <johnny_haocn@sina.com>
---
 drivers/staging/rtl8723bs/core/rtw_ieee80211.c | 13 +++++++------
 1 file changed, 7 insertions(+), 6 deletions(-)

diff --git a/drivers/staging/rtl8723bs/core/rtw_ieee80211.c b/drivers/stagi=
ng/rtl8723bs/core/rtw_ieee80211.c
index b449be537376..fad2004ec59b 100644
--- a/drivers/staging/rtl8723bs/core/rtw_ieee80211.c
+++ b/drivers/staging/rtl8723bs/core/rtw_ieee80211.c
@@ -141,23 +141,24 @@ u8 *rtw_get_ie(u8 *pbuf, signed int index, signed int=
 *len, signed int limit)
 	signed int tmp, i;
 	u8 *p;
=20
-	if (limit < 1)
+	if (limit < 2)
 		return NULL;
=20
 	p =3D pbuf;
 	i =3D 0;
 	*len =3D 0;
-	while (1) {
+	while (i + 2 <=3D limit) {
+		tmp =3D *(p + 1);
+		if (i + 2 + tmp > limit)
+			break;
+
 		if (*p =3D=3D index) {
-			*len =3D *(p + 1);
+			*len =3D tmp;
 			return p;
 		} else {
-			tmp =3D *(p + 1);
 			p +=3D (tmp + 2);
 			i +=3D (tmp + 2);
 		}
-		if (i >=3D limit)
-			break;
 	}
 	return NULL;
 }
--=20
2.34.1