This is v2 of the series. The only change from v1 is in patch 1/3:
the loop increment in update_beacon_info() is now written as
sizeof(*pIE) + pIE->length instead of (pIE->length + 2), to be
consistent with the sizeof(*pIE) guards introduced by the same patch
(suggested by Dan Carpenter).
Patches 2/3 and 3/3 are unchanged from v1.
---
This series fixes three related bugs in the rtl8723bs staging driver's
802.11 IE parsing code. All three share the same root cause: IE parsing
loops and IE handler functions do not check that an IE's declared length
actually fits within the remaining buffer before reading from it.
Patches 1 and 2 fix OOB reads in three IE parsing loops
(update_beacon_info, issue_assocreq, join_cmd_hdl) that are missing
the two-guard pattern already applied to OnAssocRsp() in an earlier fix.
A malicious AP can send a beacon or association response with a truncated
final IE (for example, only the element_id byte present with no length
byte), causing the loop to read pIE->length one byte past the end of
the IE area.
Patch 3 fixes a one-byte heap buffer overflow in rtw_cfg80211_set_wpa_ie().
supplicant_ie is a 256-byte array in struct security_priv. Because
wpa_ielen is taken directly from the IE length field (u8, 0-255), the copy:
memcpy(supplicant_ie, pwpa, wpa_ielen + 2);
can write up to 257 bytes. rtw_parse_wpa_ie()'s own length check passes
silently because it casts the arithmetic to u8: (u8)(257 - 2) == 255.
The overflow is reachable via NL80211_CMD_CONNECT with a crafted WPA IE
of length 255.
Alexandru Hossu (3):
staging: rtl8723bs: fix OOB read in update_beacon_info() IE loop
staging: rtl8723bs: fix OOB reads in IE loops in issue_assocreq() and join_cmd_hdl()
staging: rtl8723bs: fix heap buffer overflow in rtw_cfg80211_set_wpa_ie()
drivers/staging/rtl8723bs/core/rtw_mlme_ext.c | 8 ++++++++
drivers/staging/rtl8723bs/core/rtw_wlan_util.c | 6 +++++-
drivers/staging/rtl8723bs/os_dep/ioctl_cfg80211.c | 8 ++++++++
3 files changed, 21 insertions(+), 1 deletion(-)
--
2.53.0