1. Patchew
  2. linux
  3. View series

[PATCH v4 0/3] staging: rtl8723bs: fix OOB reads and heap overflow in IE parsing

Alexandru Hossu posted 3 patches 1 month, 1 week ago
There is a newer version of this series
.../staging/rtl8723bs/core/rtw_ieee80211.c    |  9 +++++-
drivers/staging/rtl8723bs/core/rtw_mlme_ext.c | 30 ++++++++++++++-----
.../staging/rtl8723bs/core/rtw_wlan_util.c    | 14 +++++++--
.../staging/rtl8723bs/os_dep/ioctl_cfg80211.c |  8 +++++
4 files changed, 50 insertions(+), 11 deletions(-)
[PATCH v4 0/3] staging: rtl8723bs: fix OOB reads and heap overflow in IE parsing
Posted by Alexandru Hossu 1 month, 1 week ago 
v4, addressing the sashiko review comments on v3.

Regarding hardware: I do not have rtl8723bs hardware available.  The
patches in this series are derived from static analysis of the code,
cross-checking against the 802.11 spec, and reviewing the patterns
already in use elsewhere in the same driver.

What changed in v4:

Patch 1 (update_beacon_info, bwmode_update_check):
  - Added unsigned underflow guard: if pkt_len < _BEACON_IE_OFFSET_ +
    WLAN_HDR_A3_LEN the subtraction that computes len would wrap to a
    very large value.  Return early.
  - Swapped the WLAN_EID_VENDOR_SPECIFIC condition so pIE->length ==
    WLAN_WMM_LEN is checked before memcmp(pIE->data, WMM_PARA_OUI, 6)
    to prevent the 6-byte read on a short IE.
  - Fixed bwmode_update_check(): changed pIE->length >
    sizeof(struct HT_info_element) to != to also reject IEs shorter
    than the struct, preventing the read of infos[0] on a zero-length IE.

Patch 2 (issue_assocreq, join_cmd_hdl):
  - Added pIE->length >= 4 guard before the 4-byte OUI memcmps in both
    WLAN_EID_VENDOR_SPECIFIC cases.
  - In issue_assocreq() WLAN_EID_HT_CAPABILITY: added minimum length
    check and replaced pIE->length with sizeof(struct HT_caps_element)
    in rtw_set_ie() to prevent reads past the HT_caps struct.
  - In join_cmd_hdl() WLAN_EID_HT_OPERATION: added minimum length check
    before casting pIE->data to struct HT_info_element * and reading
    infos[0].

Patch 3 (rtw_get_wps_ie, rtw_cfg80211_set_wpa_ie):
  - Added two bounds checks in rtw_get_wps_ie(): break if fewer than
    two header bytes remain; break if the declared payload extends past
    in_len.  Added in_ie[cnt + 1] >= 4 guard before the 4-byte WPS OUI
    memcmp.

Alexandru Hossu (3):
  staging: rtl8723bs: fix OOB reads in update_beacon_info() and
    bwmode_update_check()
  staging: rtl8723bs: fix OOB reads in IE loops in issue_assocreq() and
    join_cmd_hdl()
  staging: rtl8723bs: fix OOB reads in rtw_get_wps_ie() and
    rtw_cfg80211_set_wpa_ie()

 .../staging/rtl8723bs/core/rtw_ieee80211.c    |  9 +++++-
 drivers/staging/rtl8723bs/core/rtw_mlme_ext.c | 30 ++++++++++++++-----
 .../staging/rtl8723bs/core/rtw_wlan_util.c    | 14 +++++++--
 .../staging/rtl8723bs/os_dep/ioctl_cfg80211.c |  8 +++++
 4 files changed, 50 insertions(+), 11 deletions(-)

-- 
2.53.0
Re: [PATCH v4 0/3] staging: rtl8723bs: fix OOB reads and heap overflow in IE parsing
Posted by Greg KH 1 month ago 
On Tue, May 05, 2026 at 07:38:15PM +0200, Alexandru Hossu wrote:
> v4, addressing the sashiko review comments on v3.

There are still loads of new sashiko review comments on this series:
	https://sashiko.dev/#/patchset/20260505173818.3674164-1-hossu.alexandru@gmail.com

> Regarding hardware: I do not have rtl8723bs hardware available.  The
> patches in this series are derived from static analysis of the code,
> cross-checking against the 802.11 spec, and reviewing the patterns
> already in use elsewhere in the same driver.

I'll have to defer to the bot here, let's get it to agree that you are
making the needed changes, as you can't test the code.

thanks,

greg k-h

Patchew 2.1-devel-ea86937

© 2016 - 2026 Red Hat, Inc.