From nobody Fri Jun 19 09:52:49 2026 Received: from mail-wm1-f50.google.com (mail-wm1-f50.google.com [209.85.128.50]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id 9EE8834251B for ; Sat, 25 Apr 2026 12:01:19 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=209.85.128.50 ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1777118481; cv=none; b=n2gOOWzqixWdPsVUNkD33DYIpl3hG0caCSbV5PtUBFVl3IpKijnM74ess2YHnK2D04/3xAXSxW0IkTMRrQsT/TBJjoMAwgkj8ilqmqK/jFi4XXTEzQxcay62VFBf9NHe1ETtH5lHlCpr34Q2VXYpZqWvPB8SSxrDHOpAYdIdRJ4= ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1777118481; c=relaxed/simple; bh=xrbQ9AT5slycUVkjA/pt4aW6TgfRd0JGSLbMKmlG+kk=; h=From:To:Cc:Subject:Date:Message-ID:MIME-Version; b=WkPTNRbJS40/yYcqBlQuhwUnDkf3kFzXq7dlnlV6sm0znMq0gscNncz0f3viaRfC9div1RmwZPqZZa/JVacWkX2VdO5Nwu4JOdbgebTYz46jBtlNpQiOgIalCJxZpALsDJKtAyZ7NZHwWrmA0DYVYtyHxbNtioirzr3j9uB3Sgo= ARC-Authentication-Results: i=1; smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=gmail.com; spf=pass smtp.mailfrom=gmail.com; dkim=pass (2048-bit key) header.d=gmail.com header.i=@gmail.com header.b=n9fDTc0i; arc=none smtp.client-ip=209.85.128.50 Authentication-Results: smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=gmail.com Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=gmail.com Authentication-Results: smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=gmail.com header.i=@gmail.com header.b="n9fDTc0i" Received: by mail-wm1-f50.google.com with SMTP id 5b1f17b1804b1-488e1a8ac40so106381875e9.2 for ; Sat, 25 Apr 2026 05:01:19 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20251104; t=1777118478; x=1777723278; darn=vger.kernel.org; h=content-transfer-encoding:mime-version:message-id:date:subject:cc :to:from:from:to:cc:subject:date:message-id:reply-to; bh=txtj6e2ZBR5nYlra7mafZ//3vTUOo4wtUtetsDDrvH0=; b=n9fDTc0iHY4m4JRLY+J0ph0lULfKF1LgSQ4UwCfkh5voJVIbj1wn3iRsVTq61POHrM n+MxlXH5buiaPduOAlrL7f9uVyDNFjZiOTwrQmdAr/uiJ2YVHP2ziDv8i8+XDdGz1XpK zKvrG3/19u+e4tT4Usbt/PIQmjFf9HjXEApNWrgnSCvQ5YsJyoAzsT2biZLggUCvypbf xDIk33OvpIbkvc9g+N71COWgbJEUJ7CeD0S5mp2ewlKfyzliGxE/900D1gGcpmF51v/2 S62hAk1phCzNUxYd6Uwrupo7cDHIjjYOfmJsGc1Zb/WWjAt7hcR9pksDDnUuJoLwH0+2 7+fg== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20251104; t=1777118478; x=1777723278; h=content-transfer-encoding:mime-version:message-id:date:subject:cc :to:from:x-gm-gg:x-gm-message-state:from:to:cc:subject:date :message-id:reply-to; bh=txtj6e2ZBR5nYlra7mafZ//3vTUOo4wtUtetsDDrvH0=; b=FVIHYKZOKx86U9xYVoFhRVDYSeSU3LC/TCxpOjgUkBCoSuDqcHfWagxycRReNY/GMK kP0pEdLjVGHaKXjynmDyZgN/SfETx48H3CC1Yv12Ewkr1CCfhOASeRD8un1P9Yfaoy4r NnjZjS1qPVGN4xxQVNsjKRYF2VR52I6o11MC0uwRltF4GMB6RFwaQVlqQPDA0NLN88yC xde3U05XgtuMw0mvySdVo3olLfZN8JoTuOEExKCJRxOjqwpfeWPqxY24h+aKv1UCzmf3 nqH6F0B2nmQcL1hAv0QWdXNFyPp3N3rXmWqi4NGNz+TKJeGaJUnTgaabssCFs6J4rHJw KNww== X-Forwarded-Encrypted: i=1; AFNElJ/4WYt7idwQ8UrKCOVhV1X8tSZLDvURX17Ot+cng2O+fITmNAMwpoBP3DfBDVu/1AHBk+FtxhRKj3FrSps=@vger.kernel.org X-Gm-Message-State: AOJu0Yy5SdvxIpP+bxbCkkIFmu5JeTG1xG4q0Ia8NWzqsdpYGPsaw++2 1Sm4YT/TFe5FN9AncmltEZ9bLoloGEauKxrVwM2YrJBYvx8sOmvy4Bzj X-Gm-Gg: AeBDieucOtNkocK/NKWdWK9dMtMw05B8IiRHgiiZ3Hi03jO6BnhzbuGPH3fV5YDxD3u Dixbnm36S+hckW3PmCIAzkMl8R34oOwhpk2EKuYhAL4dBuQ9su5G1iqYhRdd9gXxT4H8XN0gYhv Ms4Z/2nbrHAxax5vlqxorWRASR3AmRT55PRHEH8lATql8CxRVF5yHDH0TylSBDi9Rp4+Ya+j+op doM9/7QWBx46GZnVtyG+yrsLwQSJGEBgh0/oW5siW8kmPmtt0hhujZ6u3afCFh3vG3Ud9KOFOew k1LU+KxMZP0937ms62d/l+1tbhoi6Dfv1LkwVWYVpC6Tyi0z+FSgY6lmwff+5Ubwn3VZp+i+S8d Iw8Idz9Lh9dwSqexxLpyNvRVqT4LPBmPN1DJWroEHIErG09ZQeYZzY/GoT1AWd5SLweZKo9gFdP Icmtvy6w5N4qK/EivbWxv5rbo5pJ3tzJAXtbsSLG0azNl0j9Ed1DH6qDYuqX3uCyItCa4SHHFLu XB5BRHHz4z5uGDECKGA/daQ+aLF612da3WoW8oGmtiuYRlM1D/gw5Utl/mjxxAsdaF0bvw= X-Received: by 2002:a05:600c:c10e:b0:488:9439:880d with SMTP id 5b1f17b1804b1-488fb792c69mr388118225e9.29.1777118477633; Sat, 25 Apr 2026 05:01:17 -0700 (PDT) Received: from ahossu.localdomain ([82.78.232.184]) by smtp.gmail.com with ESMTPSA id 5b1f17b1804b1-488fc1c01cfsm683231715e9.10.2026.04.25.05.01.15 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Sat, 25 Apr 2026 05:01:16 -0700 (PDT) From: Alexandru Hossu To: greg@kroah.com Cc: dan.carpenter@linaro.org, linux-staging@lists.linux.dev, linux-kernel@vger.kernel.org, hossu.alexandru@gmail.com Subject: [PATCH v2] staging: rtl8723bs: fix OOB read in update_beacon_info() IE loop Date: Sat, 25 Apr 2026 13:59:36 +0200 Message-ID: <20260425115936.2899314-1-hossu.alexandru@gmail.com> X-Mailer: git-send-email 2.53.0 Precedence: bulk X-Mailing-List: linux-kernel@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 Content-Transfer-Encoding: quoted-printable Content-Type: text/plain; charset="utf-8" The IE parsing loop in update_beacon_info() advances by (pIE->length + 2) each iteration but only guards on i < len. When a malicious AP sends a Beacon whose last IE has only one byte remaining in the frame (the element_id byte lands at len-1), the loop reads pIE->length from one byte past the allocated receive buffer. Additionally, even when the header bytes are in bounds, pIE->length itself can extend the data window beyond len, passing a truncated IE to the handler functions. Add two guards at the top of the loop body: 1. Break if fewer than sizeof(*pIE) bytes remain (can't read header). 2. Break if the IE's declared data extends past len. Also replace i +=3D (pIE->length + 2) with i +=3D sizeof(*pIE) + pIE->length for consistency with the sizeof(*pIE) guards added above. Signed-off-by: Alexandru Hossu --- v2: Replace i +=3D (pIE->length + 2) with i +=3D sizeof(*pIE) + pIE->length for consistency with the sizeof(*pIE) guards (Dan Carpenter). drivers/staging/rtl8723bs/core/rtw_wlan_util.c | 6 +++++- 1 file changed, 5 insertions(+), 1 deletion(-) diff --git a/drivers/staging/rtl8723bs/core/rtw_wlan_util.c b/drivers/stagi= ng/rtl8723bs/core/rtw_wlan_util.c index 6a7c09db4cd9..e0d73c267786 100644 --- a/drivers/staging/rtl8723bs/core/rtw_wlan_util.c +++ b/drivers/staging/rtl8723bs/core/rtw_wlan_util.c @@ -1289,7 +1289,11 @@ void update_beacon_info(struct adapter *padapter, u8= *pframe, uint pkt_len, stru len =3D pkt_len - (_BEACON_IE_OFFSET_ + WLAN_HDR_A3_LEN); =20 for (i =3D 0; i < len;) { + if (i + sizeof(*pIE) > len) + break; pIE =3D (struct ndis_80211_var_ie *)(pframe + (_BEACON_IE_OFFSET_ + WLAN= _HDR_A3_LEN) + i); + if (i + sizeof(*pIE) + pIE->length > len) + break; =20 switch (pIE->element_id) { case WLAN_EID_VENDOR_SPECIFIC: @@ -1314,7 +1318,7 @@ void update_beacon_info(struct adapter *padapter, u8 = *pframe, uint pkt_len, stru break; } =20 - i +=3D (pIE->length + 2); + i +=3D sizeof(*pIE) + pIE->length; } } =20 --=20 2.53.0