From nobody Sat Jun 13 20:26:44 2026 Received: from mail-wm1-f54.google.com (mail-wm1-f54.google.com [209.85.128.54]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id 2973A49550A for ; Tue, 5 May 2026 17:38:28 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=209.85.128.54 ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1778002710; cv=none; b=pawcfTXzyW7MZ4bcExZ9bWCDofmIVFv5XE6wIRj3OIPONFjwCxolF0KSWaFio+301+Wiii7/KQaCquifH45dJXHlQ9qv1svP8f2ZDpCwpWjFGZjqNUetgIyae9YxuPDiqUyGqs6mM3oEwZneBiU1fc40jWUKomgGQMilo0kFKjw= ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1778002710; c=relaxed/simple; bh=8CBrQmbEsdNgHXYKb6wsIXwlaQPjAq3SREKqrhhl4GQ=; h=From:To:Cc:Subject:Date:Message-ID:In-Reply-To:References: MIME-Version; b=YqMoKRSvgyQpFEwPL1zkAtv+TslpjYrmTlhnWtqqfw1/MvcaBX26pGXgw5Hz15OGuSCltfGuuYLh17+1iClP3XM8SfIaDScurZ3aCLCBpPDiwtlBPH+pBCqFB5+dWN+s5/yo1O1dw8ZxqJY7KWakquufkAh3y7J3y+fNfWzPF1c= ARC-Authentication-Results: i=1; smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=gmail.com; spf=pass smtp.mailfrom=gmail.com; dkim=pass (2048-bit key) header.d=gmail.com header.i=@gmail.com header.b=imh0GeTP; arc=none smtp.client-ip=209.85.128.54 Authentication-Results: smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=gmail.com Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=gmail.com Authentication-Results: smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=gmail.com header.i=@gmail.com header.b="imh0GeTP" Received: by mail-wm1-f54.google.com with SMTP id 5b1f17b1804b1-488af9fdaa7so29062815e9.1 for ; Tue, 05 May 2026 10:38:28 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20251104; t=1778002707; x=1778607507; darn=vger.kernel.org; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:from:to:cc:subject:date :message-id:reply-to; bh=+NEFajvV+WD5zm8pAD2atBhqQcX592r+fg8eqdbXZVU=; b=imh0GeTPqwgiXldXRicNcUnTeIofIHrGGDSMe+ZXspdqdKhjHCRP0n1pJG9mOzXr5K F3SEW0WBzm/rfBMJT94Evi19hZMzoqrZp+WAcKKPpqGX6rdNe0H4wDjE7nXqhyQ6eTLI o5HsGQb+zBZyLfE9iHLi30kuSAx0I5sn2C+eCfxRIiSSu5B9qaHmH7pjL8AFFecwj0Hp t6JZC8kawpWEcYK5hugawHLVAt/81DnK765afH3sdgYfzrdBf7rWBfHaKJLAqZYdx7yj IBEbpK/vOvxx0qhk+7hWj8r9XuaJB1buSNE4dRccDw7GSpnk1CqBY6xhE95aRbtVm4SV /NDg== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20251104; t=1778002707; x=1778607507; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:x-gm-gg:x-gm-message-state:from :to:cc:subject:date:message-id:reply-to; bh=+NEFajvV+WD5zm8pAD2atBhqQcX592r+fg8eqdbXZVU=; b=Wou3Kd/zlDra5bHVasiTS0IekaU3NyPGxsMZOvN2oX0QbmuKfw8zWDxBsqGtFQAHn8 MyN45OG2B/ZlJaBAJ6hQtQZtX0jDiXjYU0np46B/w+L7e9ZGNXlus148FI67HmjmDk86 63v1VrRu0pBIVanbun/Zo+Oq1CrKf9eE9jhJ6+TqKd09Zc/ReG3qSnMO9Cl+9CWXgxQM 4qxKWOmjvfNTXSpuXDL0XgInI8481Smf+z4QZUAgCqvoiwQW8C7h+3c3yPWhoUGnma5u q+4Wz/Bejcegb/YDaTTAX+WrufRDfcjWnR8DAvTfYvHgKHNkrPKh92XyYVRp4Qzr7PMH 7FQA== X-Forwarded-Encrypted: i=1; AFNElJ+KufY/r0PknsFe8iVFoMQ+fz+a9eSiaMKIEuJJOEwUhd5yTBzfQuvqp6tIJQ8DrJH5/FMDsSHpBm3Ph/8=@vger.kernel.org X-Gm-Message-State: AOJu0YxzIiy4m4p+1+FxTfWxrwhamBkIKN3n2pSCZjeRJQcHTsyENwXD 4bg+9cjIzosz9qN2ybGGHHDnm3Fo6Ve+jJk8pP4QoWhQkbaoXSsRC6py X-Gm-Gg: AeBDieskIgRX56JYSgUggy8kzzppgIg7XfAJPfmeKcLt8r9hUB9i9Um6dMHB/xq8PNz KGl2/9fySMdxHHZAicTy0aOUGnKzlovGbsLHmm8nn73t2GQtMRpeF3LT9oUsV52PAcqnpGGNb3j PU+mBzIWxSBUG/nwM1p02VL9BAoXxEZhHri8PrPEPspgzbQlTU+tEx0VP0kyVpj2tvheoElX2Xw Ai+r7zFOkve5/vTWbc+YQ05VeQ6Vg3j7YIM/f7Iz+eOBPElnqCrMIrIfyVasm/F/3dzJNpTdPTe 59c0IsiPkn8V7np2rSWDbyJiV6p1nwyHmp1tIjcfvNJ+XuI4yDQRoVXyPWtWbCD93rCIo27RG4t h6LnwFbNXxDET+AIRu+cOAMgGIU/zGtiSvDyzv1GXF0vy2cKV7S7mvUMclThBjjnbSI7CCFWSKa 1Gu7CIVODNYGzgVLHuag2z0nwy5JiPmawaz5C3U74hXtWpLJ1+VQMhxPSFH7bS3nbUyOWF9yiWx Fq0jE3VUdoRVlaSy3vAtAUk4D3ZO0ojSpeo/An+DWbPWsaq+y6s2vL3DH8ywFjHXzyePGw= X-Received: by 2002:a05:600c:34d3:b0:48a:58e1:6d17 with SMTP id 5b1f17b1804b1-48e51f3655emr3935525e9.20.1778002706507; Tue, 05 May 2026 10:38:26 -0700 (PDT) Received: from ahossu.localdomain ([82.78.232.184]) by smtp.gmail.com with ESMTPSA id 5b1f17b1804b1-48a82301ad1sm655473875e9.9.2026.05.05.10.38.25 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Tue, 05 May 2026 10:38:26 -0700 (PDT) From: Alexandru Hossu To: gregkh@linuxfoundation.org Cc: linux-staging@lists.linux.dev, linux-kernel@vger.kernel.org, error27@gmail.com, luka.gejak@linux.dev, stable@vger.kernel.org Subject: [PATCH v4 1/3] staging: rtl8723bs: fix OOB reads in update_beacon_info() and bwmode_update_check() Date: Tue, 5 May 2026 19:38:16 +0200 Message-ID: <20260505173818.3674164-2-hossu.alexandru@gmail.com> X-Mailer: git-send-email 2.53.0 In-Reply-To: <20260505173818.3674164-1-hossu.alexandru@gmail.com> References: <2026050436-italics-clumsy-e83c@gregkh> <20260505173818.3674164-1-hossu.alexandru@gmail.com> Precedence: bulk X-Mailing-List: linux-kernel@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 Content-Transfer-Encoding: quoted-printable Content-Type: text/plain; charset="utf-8" Four out-of-bounds read paths in Beacon IE processing: 1. Unsigned underflow in len computation. update_beacon_info() computes: len =3D pkt_len - (_BEACON_IE_OFFSET_ + WLAN_HDR_A3_LEN); where len is unsigned int. If pkt_len is smaller than _BEACON_IE_OFFSET_ + WLAN_HDR_A3_LEN (36 bytes), the subtraction wraps to a very large value, causing the IE loop to iterate over memory far beyond the receive buffer. Add an early return when pkt_len is too small. 2. IE header and payload may extend past the packet end. The IE loop advances by pIE->length + 2 per iteration but only guards on i < len. When the last IE has only one byte left in the frame, the loop reads pIE->length from pframe[len], one byte past the receive buffer. Even when the header bytes are in bounds, pIE->length can point the data window past len, silently passing a truncated IE to handler functions. Add two guards: break if fewer than sizeof(*pIE) bytes remain, and break if the declared IE payload extends past len. 3. WMM OUI comparison reads 6 bytes past a possibly short IE payload. For WLAN_EID_VENDOR_SPECIFIC, the code calls memcmp(pIE->data, WMM_PARA_OUI, 6) before checking pIE->length =3D=3D WLAN_WMM_LEN. An IE with pIE->length < 6 causes memcmp to read into adjacent frame data. Swap the condition so the length check comes first. 4. bwmode_update_check() missing minimum IE length check. bwmode_update_check() rejects IEs longer than sizeof(struct HT_info_element) but accepts any shorter length, including zero. After the check it casts pIE->data to struct HT_info_element * and reads infos[0] (offset 1), which is out of bounds when pIE->length is 0 or 1. Change the guard from > to !=3D to require the IE to be exactly the expected size. Fixes: 554c0a3abf21 ("staging: Add rtl8723bs sdio wifi driver") Cc: stable@vger.kernel.org Signed-off-by: Alexandru Hossu --- Changes in v4: - Add pkt_len < _BEACON_IE_OFFSET_ + WLAN_HDR_A3_LEN guard before the len subtraction to prevent unsigned underflow (sashiko review of v3). - Swap WLAN_EID_VENDOR_SPECIFIC condition: check pIE->length =3D=3D WLAN_WMM_LEN before memcmp to avoid reading 6 bytes from a short IE payload (sashiko review of v3). - Fix bwmode_update_check(): change > sizeof(struct HT_info_element) to !=3D sizeof(struct HT_info_element) to also reject IEs shorter than the expected size, preventing the read of infos[0] on a zero-length IE (sashiko review of v3). Changes in v3: - No code changes from v2. Changes in v2: - Add IE loop header and payload bounds checks in update_beacon_info(). - Use sizeof(*pIE) + pIE->length instead of pIE->length + 2 for consistency with the sizeof(*pIE) guards (Dan Carpenter). drivers/staging/rtl8723bs/core/rtw_wlan_util.c | 14 +++++++++++--- 1 file changed, 11 insertions(+), 3 deletions(-) diff --git a/drivers/staging/rtl8723bs/core/rtw_wlan_util.c b/drivers/stagi= ng/rtl8723bs/core/rtw_wlan_util.c index 6a7c09db4cd9..7ccfaa538ebb 100644 --- a/drivers/staging/rtl8723bs/core/rtw_wlan_util.c +++ b/drivers/staging/rtl8723bs/core/rtw_wlan_util.c @@ -850,7 +850,7 @@ static void bwmode_update_check(struct adapter *padapte= r, struct ndis_80211_var_ if (phtpriv->ht_option =3D=3D false) return; =20 - if (pIE->length > sizeof(struct HT_info_element)) + if (pIE->length !=3D sizeof(struct HT_info_element)) return; =20 pHT_info =3D (struct HT_info_element *)pIE->data; @@ -1286,15 +1286,23 @@ void update_beacon_info(struct adapter *padapter, u= 8 *pframe, uint pkt_len, stru unsigned int len; struct ndis_80211_var_ie *pIE; =20 + if (pkt_len < _BEACON_IE_OFFSET_ + WLAN_HDR_A3_LEN) + return; + len =3D pkt_len - (_BEACON_IE_OFFSET_ + WLAN_HDR_A3_LEN); =20 for (i =3D 0; i < len;) { + if (i + sizeof(*pIE) > len) + break; pIE =3D (struct ndis_80211_var_ie *)(pframe + (_BEACON_IE_OFFSET_ + WLAN= _HDR_A3_LEN) + i); + if (i + sizeof(*pIE) + pIE->length > len) + break; =20 switch (pIE->element_id) { case WLAN_EID_VENDOR_SPECIFIC: /* to update WMM parameter set while receiving beacon */ - if (!memcmp(pIE->data, WMM_PARA_OUI, 6) && pIE->length =3D=3D WLAN_WMM_= LEN) /* WMM */ + if (pIE->length =3D=3D WLAN_WMM_LEN && + !memcmp(pIE->data, WMM_PARA_OUI, 6)) /* WMM */ if (WMM_param_handler(padapter, pIE)) report_wmm_edca_update(padapter); =20 @@ -1314,7 +1322,7 @@ void update_beacon_info(struct adapter *padapter, u8 = *pframe, uint pkt_len, stru break; } =20 - i +=3D (pIE->length + 2); + i +=3D sizeof(*pIE) + pIE->length; } } =20 --=20 2.53.0 From nobody Sat Jun 13 20:26:44 2026 Received: from mail-wm1-f42.google.com (mail-wm1-f42.google.com [209.85.128.42]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id 338164A2E35 for ; Tue, 5 May 2026 17:38:29 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=209.85.128.42 ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1778002711; cv=none; b=bXxQHi8WCwK714FeK8RdbNrbPQvZ2yR/o4aiYIwlvDYYREhhw5H3/jHCT8ezAmDK7dpmG76cMeewPpLjB/iy+XoyXmxU3qFV9oz6lJoVYNN87yOV/ONRtSy1I7eenm1mcJRC02nYvHGz2I0LprJjX7A3fZDUiBZWp1gd0w+76XM= ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1778002711; c=relaxed/simple; bh=2eHvbI1mk/aj/Zi5PxQSpJypU7yoSMe2lKX08aSATJw=; h=From:To:Cc:Subject:Date:Message-ID:In-Reply-To:References: MIME-Version; b=Ihi3JjP+PA4l9wFUv7vfWTi78wcy73UWaBFaeGZszx26T0rlRZ1d4Hr8zhj7Qj93vHbXK+LLeJ0tDTR98XD6qx78p56FpDGcrXtzSct45tVN8mCdThORVkXBAUl01fDDdxYrhXlXmMEatExsyJcPTZvA+715hCaID6JIs0oWeY8= ARC-Authentication-Results: i=1; smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=gmail.com; spf=pass smtp.mailfrom=gmail.com; dkim=pass (2048-bit key) header.d=gmail.com header.i=@gmail.com header.b=pfmIFCfm; arc=none smtp.client-ip=209.85.128.42 Authentication-Results: smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=gmail.com Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=gmail.com Authentication-Results: smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=gmail.com header.i=@gmail.com header.b="pfmIFCfm" Received: by mail-wm1-f42.google.com with SMTP id 5b1f17b1804b1-4891f625344so1116465e9.0 for ; Tue, 05 May 2026 10:38:29 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20251104; t=1778002708; x=1778607508; darn=vger.kernel.org; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:from:to:cc:subject:date :message-id:reply-to; bh=3HzUgHbapU2iUW6a55uMohE0Ic8YmFRsZ+OhWqMaW50=; b=pfmIFCfmzM72O7XCdpnqQgo3xl6HU9m3N2NsszC6vAzYzvX6hKIbsfVZj6Kc0tvQ71 0u3bjyCyUOu65yh0+1sOi+/UNXLtpItEuTU/DxoeA262rW5x6uIW7xibCJDMXEJtE7xo 4dHwLcH0KvT1v4oSCptG6FemJ4gkuDQRoKV4MrX60NY/OKTiS1rv+qKf1Qfc2liqc/di M+LBMl9ZexnFMxh1niGJVgt/qF1RWANB7Ct/JPcDTwo+RPSAsvlOHYgUQSf/G0dc7CT5 B0KFlkB/NPDDQVsjaeaI19aGl94lx8NUQsfLPcE8yvXPTu/1L84gHYGWxlhfIE/xYsCC 0dKA== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20251104; t=1778002708; x=1778607508; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:x-gm-gg:x-gm-message-state:from :to:cc:subject:date:message-id:reply-to; bh=3HzUgHbapU2iUW6a55uMohE0Ic8YmFRsZ+OhWqMaW50=; b=N+i7cPMSbxKWCI4vVWQI+D5JAWxTsdHHlusWHFQdygynQNCGvQeflJ/WyL5XKnsyp3 Tr9bj/67v3cE7Krvqi3Sx7sOvzco3VdWKTBik4f0BO8UX8qYZDoZ2txpGW0mehTS6NXL A32hi3owdXI2rnY/O43O13YwnxDOdiwmnV8utRPslm4iMvKIbllRLsTCcnbQqZHlURnM TCAfg6b6812UaQe4B8levz0+UfJENHOhqss+wkSDHLOeC+ZQXLDCP+DCntv35M4zQcUI CdYM/aRYTIBvMALCgLfpCKwzyMMeDnxDFKptKxfnc9/CDe1ToyorV3LEdlnv8zYchDLd kAzw== X-Forwarded-Encrypted: i=1; AFNElJ+VXlZWaQfHN3U8uEZevTgIiOPz7yMkmDtXN4nrT8aCyN6Ntdzv24FPRewXAd1ezB+APnlll5+dklA1FGs=@vger.kernel.org X-Gm-Message-State: AOJu0YyFkv8OIPKPvZVBJuqDjWVvlwfwhnFzFvKpot1DuV6H9aEWu1JB tHqgczBPz+YRN9bi0fWdYfpHcNQ7iG5viXRwQ4Tx55yy1fHvVHMYkpw/FSMlVQ== X-Gm-Gg: AeBDievsRhPlLveRgK7rzLRuOt6ZliAgCD9cwC7pOKL3dWfhpAVozTFeresFA4dWGLL 1FFA2XkrrZr2+8JLeJSIpQ6WpyBeBrzZsY5x1+BAFl2r8tIG3DaWJuzEhiId4HhSlFJrwZwXEjN ezNrGiinBJhUjksz2AEbQbaH/sFlExRPFmIPBceGmcjbyZQRjxWTU/nlakNpA86AdW3wvRdyhS6 uw26QfQo1v5+zNHtrUjaQbzz/PbaAOPcLz/qP1j98hVR/vz8/UaqjUGhlX1qyBVha1N6+eNeMqL 75QNg2Ns67T7RL8G3I7qiPJE04g0HcOwzak5QaXxepNs1uGrMjD+O8mbpLqVDiLBPko7+i5hooT xsCGxSp/4qcW9AkeM8rgyZfq/LQ3JppekpUNQSMI+vRcmHJZcS10RqxD5R09zOC+O41a0WcVs5Y UYneAnpmRGhAX6g1cKpbQERj2xqegoQdgq47AsrHtbsh/Qi0C2Z6N3wt7Cq7rPAmP7edRrWVFIF ERIIgIffBnN9niNn1GkrQLwRzinIlgg+WsgKhNuy4Ox5QF0OjJO49nXKJDo+XE0lT4mftY= X-Received: by 2002:a05:600c:3152:b0:489:1d7a:4537 with SMTP id 5b1f17b1804b1-48d1422bafamr75630445e9.3.1778002707536; Tue, 05 May 2026 10:38:27 -0700 (PDT) Received: from ahossu.localdomain ([82.78.232.184]) by smtp.gmail.com with ESMTPSA id 5b1f17b1804b1-48a82301ad1sm655473875e9.9.2026.05.05.10.38.26 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Tue, 05 May 2026 10:38:27 -0700 (PDT) From: Alexandru Hossu To: gregkh@linuxfoundation.org Cc: linux-staging@lists.linux.dev, linux-kernel@vger.kernel.org, error27@gmail.com, luka.gejak@linux.dev, stable@vger.kernel.org Subject: [PATCH v4 2/3] staging: rtl8723bs: fix OOB reads in IE loops in issue_assocreq() and join_cmd_hdl() Date: Tue, 5 May 2026 19:38:17 +0200 Message-ID: <20260505173818.3674164-3-hossu.alexandru@gmail.com> X-Mailer: git-send-email 2.53.0 In-Reply-To: <20260505173818.3674164-1-hossu.alexandru@gmail.com> References: <2026050436-italics-clumsy-e83c@gregkh> <20260505173818.3674164-1-hossu.alexandru@gmail.com> Precedence: bulk X-Mailing-List: linux-kernel@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 Content-Transfer-Encoding: quoted-printable Content-Type: text/plain; charset="utf-8" Five out-of-bounds read paths in the IE parsing loops of issue_assocreq() and join_cmd_hdl(): 1. Missing IE header bounds checks (both functions). Both loops advance by pIE->length + 2 per iteration but only guard on i < ie_length. When the buffer ends with a single element_id byte and no length byte, the loop reads pIE->length from one byte past the end of the buffer. Even when both header bytes are in bounds, pIE->length can extend the data window past ie_length, silently passing a truncated IE to handler functions. Add two guards at the top of each loop: break if fewer than sizeof(*pIE) bytes remain, and break if the declared IE payload extends past ie_length. 2. Vendor-specific OUI comparison reads 4 bytes past a possibly short IE payload (both functions). For WLAN_EID_VENDOR_SPECIFIC, the code calls memcmp(pIE->data, OUI, 4) on RTW_WPA_OUI, WMM_OUI, and WPS_OUI without first verifying that pIE->length is at least 4. A short IE at the end of the frame causes the memcmp to read into adjacent frame data. Add pIE->length >=3D 4 guard before the comparisons. 3. HT Capability IE memcpy reads sizeof(struct HT_caps_element) bytes from an IE that may be shorter (issue_assocreq only). The WLAN_EID_HT_CAPABILITY handler copies: memcpy(&pmlmeinfo->HT_caps, pIE->data, sizeof(struct HT_caps_element)); If pIE->length < sizeof(struct HT_caps_element), the memcpy reads beyond the end of the IE payload into adjacent frame data. Add a minimum length check and skip the IE if it is too short. 4. rtw_set_ie called with untrusted pIE->length for HT Capability (issue_assocreq only). After the memcpy the code passes pIE->length directly to rtw_set_ie() as the IE body length. If pIE->length exceeds sizeof(struct HT_caps_element), rtw_set_ie copies that many bytes from pmlmeinfo->HT_caps, reading past the end of the struct into adjacent fields. Use sizeof(struct HT_caps_element) instead. 5. HT Operation IE accessed without minimum length check (join_cmd_hdl only). The WLAN_EID_HT_OPERATION handler casts pIE->data to struct HT_info_element * and reads pht_info->infos[0] (offset 1) without verifying pIE->length >=3D sizeof(struct HT_info_element). A zero- or one-byte HT Operation IE causes an out-of-bounds read. Add a minimum length check and break if the IE is too short. Fixes: 554c0a3abf21 ("staging: Add rtl8723bs sdio wifi driver") Cc: stable@vger.kernel.org Signed-off-by: Alexandru Hossu --- Changes in v4: - Add pIE->length >=3D 4 guard before the 4-byte OUI memcmps in the WLAN_EID_VENDOR_SPECIFIC cases of both functions (sashiko review of v3). - In issue_assocreq() WLAN_EID_HT_CAPABILITY: add minimum length check (pIE->length < sizeof(struct HT_caps_element)) and use sizeof(struct HT_caps_element) instead of pIE->length in rtw_set_ie() to prevent OOB reads past the HT_caps struct (sashiko review of v3). - In join_cmd_hdl() WLAN_EID_HT_OPERATION: add minimum length check (pIE->length < sizeof(struct HT_info_element)) before casting pIE->data to struct HT_info_element * and reading infos[0] (sashiko review of v3). Changes in v3: - No code changes from v2. Changes in v2: - Add IE loop header and payload bounds checks for issue_assocreq() and join_cmd_hdl(). drivers/staging/rtl8723bs/core/rtw_mlme_ext.c | 30 ++++++++++++++----- 1 file changed, 23 insertions(+), 7 deletions(-) diff --git a/drivers/staging/rtl8723bs/core/rtw_mlme_ext.c b/drivers/stagin= g/rtl8723bs/core/rtw_mlme_ext.c index 5f00fe282d1b..0c130d0f9a48 100644 --- a/drivers/staging/rtl8723bs/core/rtw_mlme_ext.c +++ b/drivers/staging/rtl8723bs/core/rtw_mlme_ext.c @@ -2925,13 +2925,18 @@ void issue_assocreq(struct adapter *padapter) =20 /* vendor specific IE, such as WPA, WMM, WPS */ for (i =3D sizeof(struct ndis_802_11_fix_ie); i < pmlmeinfo->network.ie_l= ength;) { + if (i + sizeof(*pIE) > pmlmeinfo->network.ie_length) + break; pIE =3D (struct ndis_80211_var_ie *)(pmlmeinfo->network.ies + i); + if (i + sizeof(*pIE) + pIE->length > pmlmeinfo->network.ie_length) + break; =20 switch (pIE->element_id) { case WLAN_EID_VENDOR_SPECIFIC: - if ((!memcmp(pIE->data, RTW_WPA_OUI, 4)) || + if (pIE->length >=3D 4 && + ((!memcmp(pIE->data, RTW_WPA_OUI, 4)) || (!memcmp(pIE->data, WMM_OUI, 4)) || - (!memcmp(pIE->data, WPS_OUI, 4))) { + (!memcmp(pIE->data, WPS_OUI, 4)))) { vs_ie_length =3D pIE->length; if ((!padapter->registrypriv.wifi_spec) && (!memcmp(pIE->data, WPS_OUI= , 4))) { /* Commented by Kurt 20110629 @@ -2953,8 +2958,10 @@ void issue_assocreq(struct adapter *padapter) case WLAN_EID_HT_CAPABILITY: if (padapter->mlmepriv.htpriv.ht_option) { if (!(is_ap_in_tkip(padapter))) { + if (pIE->length < sizeof(struct HT_caps_element)) + break; memcpy(&(pmlmeinfo->HT_caps), pIE->data, sizeof(struct HT_caps_elemen= t)); - pframe =3D rtw_set_ie(pframe, WLAN_EID_HT_CAPABILITY, pIE->length, (u= 8 *)(&(pmlmeinfo->HT_caps)), &(pattrib->pktlen)); + pframe =3D rtw_set_ie(pframe, WLAN_EID_HT_CAPABILITY, sizeof(struct H= T_caps_element), (u8 *)(&(pmlmeinfo->HT_caps)), &(pattrib->pktlen)); } } break; @@ -2967,7 +2974,7 @@ void issue_assocreq(struct adapter *padapter) break; } =20 - i +=3D (pIE->length + 2); + i +=3D sizeof(*pIE) + pIE->length; } =20 if (pmlmeinfo->assoc_AP_vendor =3D=3D HT_IOT_PEER_REALTEK) @@ -5318,11 +5325,15 @@ u8 join_cmd_hdl(struct adapter *padapter, u8 *pbuf) =20 /* sizeof(struct ndis_802_11_fix_ie) */ for (i =3D _FIXED_IE_LENGTH_; i < pnetwork->ie_length;) { + if (i + sizeof(*pIE) > pnetwork->ie_length) + break; pIE =3D (struct ndis_80211_var_ie *)(pnetwork->ies + i); + if (i + sizeof(*pIE) + pIE->length > pnetwork->ie_length) + break; =20 switch (pIE->element_id) { case WLAN_EID_VENDOR_SPECIFIC:/* Get WMM IE. */ - if (!memcmp(pIE->data, WMM_OUI, 4)) + if (pIE->length >=3D 4 && !memcmp(pIE->data, WMM_OUI, 4)) WMM_param_handler(padapter, pIE); break; =20 @@ -5335,7 +5346,12 @@ u8 join_cmd_hdl(struct adapter *padapter, u8 *pbuf) =20 /* spec case only for cisco's ap because cisco's ap issue assoc rsp usi= ng mcs rate @40MHz or @20MHz */ { - struct HT_info_element *pht_info =3D (struct HT_info_element *)(pIE->d= ata); + struct HT_info_element *pht_info; + + if (pIE->length < sizeof(struct HT_info_element)) + break; + + pht_info =3D (struct HT_info_element *)(pIE->data); =20 if (pnetwork->configuration.ds_config <=3D 14) { if ((pregpriv->bw_mode & 0x0f) > CHANNEL_WIDTH_20) @@ -5366,7 +5382,7 @@ u8 join_cmd_hdl(struct adapter *padapter, u8 *pbuf) break; } =20 - i +=3D (pIE->length + 2); + i +=3D sizeof(*pIE) + pIE->length; } =20 /* check channel, bandwidth, offset and switch */ --=20 2.53.0 From nobody Sat Jun 13 20:26:44 2026 Received: from mail-wr1-f50.google.com (mail-wr1-f50.google.com [209.85.221.50]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id A537D49251F for ; Tue, 5 May 2026 17:38:30 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=209.85.221.50 ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1778002713; cv=none; b=gCWECN2oqcsBAX9Sz6x3MsICcT5YnADa4fzZfspfU1460Hz7sNyIbnDkZdV/jXAaAYuQ9zt4hazxxTzGPO94ES4ZiY5bYIzCRLukxkbQU2JyeqzRK2JPxUOARumeGmGmHk+wJiiczPD8Wm5AKNYnlsm5GXj+rRmL06AGl4fnYiU= ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1778002713; c=relaxed/simple; bh=RdfwN/LYtP4aF0CJvFVTs0hMjHmoDcKmx6pMoxp/CbY=; h=From:To:Cc:Subject:Date:Message-ID:In-Reply-To:References: MIME-Version; b=Jwc4S+xnOSU2vHcWSZkeFrnVg5NRWn2VWzVf0aO6kD/XwXy3/0PlhI40QZGQyhV+Mrq8UhThUveHvL74b/IMGgBTT9OtjsXkZDReLoOk6XbvU9/bVMw5/Y8/vtscqD6fMwUdb59GsMtIPqp3bufuhpauvBZhi2hexww2ce5LxbM= ARC-Authentication-Results: i=1; smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=gmail.com; spf=pass smtp.mailfrom=gmail.com; dkim=pass (2048-bit key) header.d=gmail.com header.i=@gmail.com header.b=e7cPScKU; arc=none smtp.client-ip=209.85.221.50 Authentication-Results: smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=gmail.com Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=gmail.com Authentication-Results: smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=gmail.com header.i=@gmail.com header.b="e7cPScKU" Received: by mail-wr1-f50.google.com with SMTP id ffacd0b85a97d-44a044cb827so3927598f8f.0 for ; Tue, 05 May 2026 10:38:30 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20251104; t=1778002709; x=1778607509; darn=vger.kernel.org; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:from:to:cc:subject:date :message-id:reply-to; bh=2NpaDj1OSOuFZ6NR+/4KPE7w1qddaBejMbo1xZezZe4=; b=e7cPScKUBkIjLsM/wnRIfvWYqs44pZOOxqUuvbRA65u9KFl+rGl1w8meZd26yLs7yu Di63XnZ/qzQOAnFk+zydP4NHTk+sB5vuXPjm6yk71E0qX5wJvnuIAg4ZBZIfQN9UnUI/ e+JDIOF47qUpPxWTEcOc5jURbcS8ZD+3JqjrReRWSivswH4nfoTmEb4jt2pQFmibfPq6 c6DLgapoFsGv1PB/oBEueW9GkUKHJH+35DCiaoFYklkSUVMyye3Zo+qGD3iVvYButeOO pqpB2bwPzvObH/mV2oYk5hrp3kgDdoaAlmZIDNqb5HnlR+WbXePP8EyWyTTdNYTOpSyO 6EfQ== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20251104; t=1778002709; x=1778607509; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:x-gm-gg:x-gm-message-state:from :to:cc:subject:date:message-id:reply-to; bh=2NpaDj1OSOuFZ6NR+/4KPE7w1qddaBejMbo1xZezZe4=; b=m3X9AV0ALK14qaeGRZgpYZiy01oAxK2eINzkhXJZT3WYX9GVjuCszoH47Qi0DN+XbQ bRbkPE22TE+W4y5ODXtmPLPsQ4BpB99WDaeYNoKIjugtZ9Os8599WLYYK3uZKqkZtq2k IOxC315L5E3SwU0xueBQhAv5cF0B5ku6e1NUQx/qfl9JR389ajIRb0xy5XRcRVqoxs/A O7jG2cL2LoaRIIesvoCz7J1L7KaYf7UGviD8jX32zcqT2V9Vki4XcBchinXN0FOPd7BB he6xzIxNnaWZwgPJYueEjPi1acenP0f2o5FaUi0Tq12I6WEwgz81mQjoPJuBayKqqjfi KFJg== X-Forwarded-Encrypted: i=1; AFNElJ+bCtTxjV8nrqLaTM1j0IwgTbHdl+n3E4OQXyoMKKk3Mn4k6wXu1hVcxnmXCpENQSUYXyH2yQn7LnNZSSQ=@vger.kernel.org X-Gm-Message-State: AOJu0YzmdgwZ6Zvo7lbbsyNz91y7cBrWxoVKrGbtsV6fWPnUl1H3g+Gg G6zrpbFqOcgGLqKEtU/t+NZeXMDaFXLV12FZJ3IpjbHt2BlYB3NVSMDKJxAS8A== X-Gm-Gg: AeBDieuG645+GEwJIjTc2pC72UWDUt3g2+9LueLHO0212Xn8l4SHzGkn8ZFYgqKQWoT hSzmm9/4UN0sqh8WimWrcQUkySs+AFiDSF/q7VyoUyCLPe0hl31N5AVRUaZ7IYMEZzzOdUfCZGi zWHsrrWPIdjPI4Z5Ejyg3YgNYRWSMH9Qp+MYiSDoo/wcTkAfOTjrfr7EWaTICBTJC/MVz31vRHF yqIWHbrDeHUtK6L1KB/2ZgH452CP1Es6WLbZi1/I+fOq6fJH+SoP5DGp47Ai/e+S+e/x3cbk03h VN2DqoPOeaV7fbgZnjTWsnFgXzmuwyfDNWobvbt/k6j0I2H482Kp5Zf8rbDG7YcQcSC1zGq961O xe5WGzHK8Wa6DxbpsBcfEPiRtiIbI2U8frP43emA4tq+NYkR9miBMne27Z5B0VNZK1/qs2PPtQP jmerIOEYaDapRFT/s2Umk7CXs8xeTLPtEFLCRgpk+wYgYnZ5iuYacTwXVRWeLpbWPI1/ilQh+ku Aan4AX0q4rqCPy4QAIYiBp2v+SRdlyRGwBKLVjtgWvP7F6Sm3EOLkwpeqN0EI5dM9VR1II9xgUz eBiNPQ== X-Received: by 2002:a05:600c:8585:b0:487:2439:b7be with SMTP id 5b1f17b1804b1-48e51e0b5c1mr3428345e9.6.1778002708617; Tue, 05 May 2026 10:38:28 -0700 (PDT) Received: from ahossu.localdomain ([82.78.232.184]) by smtp.gmail.com with ESMTPSA id 5b1f17b1804b1-48a82301ad1sm655473875e9.9.2026.05.05.10.38.27 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Tue, 05 May 2026 10:38:28 -0700 (PDT) From: Alexandru Hossu To: gregkh@linuxfoundation.org Cc: linux-staging@lists.linux.dev, linux-kernel@vger.kernel.org, error27@gmail.com, luka.gejak@linux.dev, stable@vger.kernel.org Subject: [PATCH v4 3/3] staging: rtl8723bs: fix OOB reads in rtw_get_wps_ie() and rtw_cfg80211_set_wpa_ie() Date: Tue, 5 May 2026 19:38:18 +0200 Message-ID: <20260505173818.3674164-4-hossu.alexandru@gmail.com> X-Mailer: git-send-email 2.53.0 In-Reply-To: <20260505173818.3674164-1-hossu.alexandru@gmail.com> References: <2026050436-italics-clumsy-e83c@gregkh> <20260505173818.3674164-1-hossu.alexandru@gmail.com> Precedence: bulk X-Mailing-List: linux-kernel@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 Content-Transfer-Encoding: quoted-printable Content-Type: text/plain; charset="utf-8" Three out-of-bounds read or write paths: 1. rtw_get_wps_ie() reads the IE length byte without a header bounds check. The loop only guards on cnt < in_len, so when the buffer ends with a single element_id byte and no length byte, in_ie[cnt + 1] is read one byte past the end of the buffer. Add a check that at least two header bytes remain (cnt + 2 <=3D in_len) before reading in_ie[cnt + 1]. 2. rtw_get_wps_ie() does not verify the declared IE payload fits within in_len. After reading the length byte, the loop does not verify that in_ie[cnt + 1] + 2 bytes are available starting at cnt. A crafted length value can cause the subsequent memcmp and memcpy to read past the end of the buffer. Add a check that the full IE (header plus payload) fits within in_len. 3. rtw_get_wps_ie() reads 4 bytes from the IE payload via memcmp without checking that pIE->length >=3D 4. For WLAN_EID_VENDOR_SPECIFIC, the code calls memcmp(&in_ie[cnt + 2], wps_oui, 4) without first verifying that the IE payload is at least 4 bytes long. Add an in_ie[cnt + 1] >=3D 4 guard before the comparison. 4. rtw_cfg80211_set_wpa_ie() can overflow the 256-byte supplicant_ie buffer. supplicant_ie is a 256-byte array in struct security_priv. The WPA and WPA2 IE copy paths use memcpy(..., wpa_ielen + 2) where wpa_ielen is the raw IE length field (u8, 0-255). When a local user supplies a connect request via nl80211 with a crafted WPA IE of length 255, wpa_ielen + 2 equals 257, overflowing the 256-byte buffer. Add explicit bounds checks for both paths before memcpy. Fixes: 554c0a3abf21 ("staging: Add rtl8723bs sdio wifi driver") Cc: stable@vger.kernel.org Signed-off-by: Alexandru Hossu --- Changes in v4: - Add two IE bounds checks in rtw_get_wps_ie(): break if fewer than two header bytes remain, and break if the declared payload extends past in_len; add in_ie[cnt + 1] >=3D 4 guard before the 4-byte WPS OUI memcmp (sashiko review of v3). Changes in v3: - No code changes from v2. Changes in v2: - Add explicit size checks in rtw_cfg80211_set_wpa_ie() before memcpy to prevent the 256-byte supplicant_ie buffer overflow. drivers/staging/rtl8723bs/core/rtw_ieee80211.c | 9 ++++++++- drivers/staging/rtl8723bs/os_dep/ioctl_cfg80211.c | 8 ++++++++ 2 files changed, 16 insertions(+), 1 deletion(-) diff --git a/drivers/staging/rtl8723bs/core/rtw_ieee80211.c b/drivers/stagi= ng/rtl8723bs/core/rtw_ieee80211.c index 72b7f731dd47..d6d5f3a8db4c 100644 --- a/drivers/staging/rtl8723bs/core/rtw_ieee80211.c +++ b/drivers/staging/rtl8723bs/core/rtw_ieee80211.c @@ -661,7 +661,14 @@ u8 *rtw_get_wps_ie(u8 *in_ie, uint in_len, u8 *wps_ie,= uint *wps_ielen) while (cnt < in_len) { eid =3D in_ie[cnt]; =20 - if ((eid =3D=3D WLAN_EID_VENDOR_SPECIFIC) && (!memcmp(&in_ie[cnt + 2], w= ps_oui, 4))) { + if (cnt + 2 > in_len) + break; + + if (in_ie[cnt + 1] + 2 > in_len - cnt) + break; + + if ((eid =3D=3D WLAN_EID_VENDOR_SPECIFIC) && (in_ie[cnt + 1] >=3D 4) && + (!memcmp(&in_ie[cnt + 2], wps_oui, 4))) { wpsie_ptr =3D &in_ie[cnt]; =20 if (wps_ie) diff --git a/drivers/staging/rtl8723bs/os_dep/ioctl_cfg80211.c b/drivers/st= aging/rtl8723bs/os_dep/ioctl_cfg80211.c index fd3bae31b0ed..e7ba5ccfa03c 100644 --- a/drivers/staging/rtl8723bs/os_dep/ioctl_cfg80211.c +++ b/drivers/staging/rtl8723bs/os_dep/ioctl_cfg80211.c @@ -1445,6 +1445,10 @@ static int rtw_cfg80211_set_wpa_ie(struct adapter *p= adapter, u8 *pie, size_t iel =20 pwpa =3D rtw_get_wpa_ie(buf, &wpa_ielen, ielen); if (pwpa && wpa_ielen > 0) { + if (wpa_ielen + 2 > sizeof(padapter->securitypriv.supplicant_ie)) { + ret =3D -EINVAL; + goto exit; + } if (rtw_parse_wpa_ie(pwpa, wpa_ielen + 2, &group_cipher, &pairwise_ciphe= r, NULL) =3D=3D _SUCCESS) { padapter->securitypriv.dot11AuthAlgrthm =3D dot11AuthAlgrthm_8021X; padapter->securitypriv.ndisauthtype =3D Ndis802_11AuthModeWPAPSK; @@ -1454,6 +1458,10 @@ static int rtw_cfg80211_set_wpa_ie(struct adapter *p= adapter, u8 *pie, size_t iel =20 pwpa2 =3D rtw_get_wpa2_ie(buf, &wpa2_ielen, ielen); if (pwpa2 && wpa2_ielen > 0) { + if (wpa2_ielen + 2 > sizeof(padapter->securitypriv.supplicant_ie)) { + ret =3D -EINVAL; + goto exit; + } if (rtw_parse_wpa2_ie(pwpa2, wpa2_ielen + 2, &group_cipher, &pairwise_ci= pher, NULL) =3D=3D _SUCCESS) { padapter->securitypriv.dot11AuthAlgrthm =3D dot11AuthAlgrthm_8021X; padapter->securitypriv.ndisauthtype =3D Ndis802_11AuthModeWPA2PSK; --=20 2.53.0