From nobody Sat Jun 13 01:22:37 2026
Received: from mail-ed1-f43.google.com (mail-ed1-f43.google.com
 [209.85.208.43])
	(using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits))
	(No client certificate requested)
	by smtp.subspace.kernel.org (Postfix) with ESMTPS id 91C3A43900F
	for <linux-kernel@vger.kernel.org>; Mon, 11 May 2026 16:58:19 +0000 (UTC)
Authentication-Results: smtp.subspace.kernel.org;
 arc=none smtp.client-ip=209.85.208.43
ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116;
	t=1778518701; cv=none;
 b=foK8vb2C3pSg8rSdziQM1Jte6+iETZ2ZzoURBByNkZbJBJ/7q4Oucl2BZG1OSpZt7yJ++3NN4qBSTanJFlRtnpNO3MVrBxYVOJ8omaoR0cmqq+MebDgFkoA23I3ELLbtVr5MFfWnfFRs0xwwpOOoXsVeq7mtqVzPEP1HcqNSESM=
ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org;
	s=arc-20240116; t=1778518701; c=relaxed/simple;
	bh=3tSls8Cx41wcmloqp7VxXz2tkYeZitn2b5K53r33Nt0=;
	h=From:To:Cc:Subject:Date:Message-ID:In-Reply-To:References:
	 MIME-Version;
 b=icVPb/NxF0B2eXo5zOwuUDtQrD6lbssPTK2vmH0u8VRX6r4zx/hqdNu0hKszFxQDgk2mTSpH1Txz5rE2z6DKgPSEVolkcGieSsc44WNRaQVJ9KsCLRsadd16gqqt/uTNLsUaWFTxHt7CC+EpEZ9gyhEjGJjBkJ9sRP/CaTZed3E=
ARC-Authentication-Results: i=1; smtp.subspace.kernel.org;
 dmarc=pass (p=none dis=none) header.from=gmail.com;
 spf=pass smtp.mailfrom=gmail.com;
 dkim=pass (2048-bit key) header.d=gmail.com header.i=@gmail.com
 header.b=g9u/3l8S; arc=none smtp.client-ip=209.85.208.43
Authentication-Results: smtp.subspace.kernel.org;
 dmarc=pass (p=none dis=none) header.from=gmail.com
Authentication-Results: smtp.subspace.kernel.org;
 spf=pass smtp.mailfrom=gmail.com
Authentication-Results: smtp.subspace.kernel.org;
	dkim=pass (2048-bit key) header.d=gmail.com header.i=@gmail.com
 header.b="g9u/3l8S"
Received: by mail-ed1-f43.google.com with SMTP id
 4fb4d7f45d1cf-67b8d9c26bbso8029058a12.2
        for <linux-kernel@vger.kernel.org>;
 Mon, 11 May 2026 09:58:19 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=gmail.com; s=20251104; t=1778518698; x=1779123498;
 darn=vger.kernel.org;
        h=content-transfer-encoding:mime-version:references:in-reply-to
         :message-id:date:subject:cc:to:from:from:to:cc:subject:date
         :message-id:reply-to;
        bh=siPIRgKJr8laGYIu25dKGO52Hs80aRg2z3cm/KySn6w=;
        b=g9u/3l8S6PANtnPlAR8zPclT/6K06M46Y4GaklZseszqV3vCfbDGu3gVsO8EoUI/cV
         wFIyjr/rMnZOqqhqaHjeOGTBL8XHEf6ADhaH2h3lAv4vHkytVbDsJNED3wVY3B8YjGHG
         vJ4UpDoYjZwN/a1LMymYV5nqtIicug6YaU/2wBFC8NI7Aegbbq6o549rIGQfH0CE8K3L
         154v8e4U45tCzfWv6ZEpwzKqyIAjKICrNZT78Qj5IvSBlwLyGdObP7DraUBXDg7INnGw
         7xGMyMzNECHo80wjW0JbcDjAQNFJCNeJgWaHrXP0A7qH9KGx1hR+jJu5g3+/E/QRidJO
         g5uw==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=1e100.net; s=20251104; t=1778518698; x=1779123498;
        h=content-transfer-encoding:mime-version:references:in-reply-to
         :message-id:date:subject:cc:to:from:x-gm-gg:x-gm-message-state:from
         :to:cc:subject:date:message-id:reply-to;
        bh=siPIRgKJr8laGYIu25dKGO52Hs80aRg2z3cm/KySn6w=;
        b=jnaU/R3rYQsaECDdp643iJNCQW1OS2cQX9LZb1zwYD9LPEB0jWnsi2/mSH9hB4Z7bD
         KZh7RtG0UbVZh6IF/7uwq5YpFDzSv1BqTbR6YGDcrmqVkVpwK03eiO0Vq5O8VLowcEWb
         touip1AzsxhzmsBZXfQtEGuLNqRMCSiBKKsgDHcHHfOo+iva3whGqwJ7L2IOXeVFOw3t
         UUMEGwVirO3B6IhfBQ3j7HYBIPVhXc+/OaXPda917K+MqlJCXM2o8bss/5Iwi64Mbyhr
         nmknsKPAuCSFLI5TYmP3ETTLP4QTYEWsD4wUvMMTHgn99i2/CqdNXVpc0VNz2QcfrGZ0
         bZlA==
X-Forwarded-Encrypted: i=1;
 AFNElJ/uufDn+CFjWGfArS3f7fFGkOpq58zaKRX5tivnT2MHJesXfCZvEIy8vZ8mEszGcsE5ZXsy9htBkCg1ioE=@vger.kernel.org
X-Gm-Message-State: AOJu0YxJ4H9ZUip8DmUUU49i/f2FojR+b+AONMRX+NUMZwmGa5FVecwA
	Fl9PgDjwjmWkk/+MNUk0L5LfLccAJuhlGX6+40JO5P8/bCIzvdJMHhIr
X-Gm-Gg: Acq92OFxbFZvI22rS4iWdA0VWTnLMGeg+eH8t/3STVtIASf+DcsUvhor/DdfwsA8Rql
	/x1lLZgS0kHimxsqVpSKuZPRFL8xLdVPFdYLYVTo9pfoq3hgfJepA9Gd6hFqJl9kIoFtVEN5m8f
	s/v8UHqkied+Gny8gsBQapaYgx5I4oQfpkArZ56dKVaW7jAhFtiLm2iwS1NOTDBHuR9YUi1pvCf
	go6AAa0DTNXdw0jsUrxPTQP2n4RiqRm+pXpJZpImq03Tj7rkbdi6HO8idDCLMLWsK60SU0POZDY
	rXmAvyywEdyPH0AznX0yD/8qZdxqqdL3u3FRyyGiLap1H/la/bz8ykCxQi2l9ZaWAjyG9MO9uUs
	iggPk4eU8aRmEBZ2jGzMbFAFBx8muYEYZpqMucx/a+1MVSKm3AIDQ/+kCb2EEDAgAxoXSCVdJH0
	Zt4NHTtug09XxDZNAxHTGFDNzkOxo8duc/yUIWq3bOFn+35QzwY4l0E8MA7plecZ9HRmfey+SLV
	ySf71UMltUaN/NzWW6Hh/ZZMPQCcFRouuDnzNOYSDlwRf/DCx5zvcNsQh4sRgw9Eg==
X-Received: by 2002:a17:907:c18:b0:bb8:b536:55dd with SMTP id
 a640c23a62f3a-bc56d713f3bmr1549976866b.41.1778518697764;
        Mon, 11 May 2026 09:58:17 -0700 (PDT)
Received: from ahossu.localdomain ([2a02:a420:2368:9048:c0cb:8552:96ce:1210])
        by smtp.gmail.com with ESMTPSA id
 a640c23a62f3a-bccffbac588sm325319366b.6.2026.05.11.09.58.14
        (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256);
        Mon, 11 May 2026 09:58:17 -0700 (PDT)
From: Alexandru Hossu <hossu.alexandru@gmail.com>
To: greg@kroah.com
Cc: linux-staging@lists.linux.dev,
	linux-kernel@vger.kernel.org,
	stable@vger.kernel.org
Subject: [PATCH v5 1/3] staging: rtl8723bs: fix OOB reads in
 update_beacon_info() and bwmode_update_check()
Date: Mon, 11 May 2026 18:57:41 +0200
Message-ID: <20260511165743.1588637-2-hossu.alexandru@gmail.com>
X-Mailer: git-send-email 2.53.0
In-Reply-To: <20260511165743.1588637-1-hossu.alexandru@gmail.com>
References: <20260511165743.1588637-1-hossu.alexandru@gmail.com>
Precedence: bulk
X-Mailing-List: linux-kernel@vger.kernel.org
List-Id: <linux-kernel.vger.kernel.org>
List-Subscribe: <mailto:linux-kernel+subscribe@vger.kernel.org>
List-Unsubscribe: <mailto:linux-kernel+unsubscribe@vger.kernel.org>
MIME-Version: 1.0
Content-Transfer-Encoding: quoted-printable
Content-Type: text/plain; charset="utf-8"

Three out-of-bounds read paths in Beacon IE processing:

1. Unsigned underflow in len computation.

   update_beacon_info() computes:

     len =3D pkt_len - (_BEACON_IE_OFFSET_ + WLAN_HDR_A3_LEN);

   where len is unsigned int.  If pkt_len is smaller than
   _BEACON_IE_OFFSET_ + WLAN_HDR_A3_LEN (36 bytes), the subtraction
   wraps to a very large value, causing the IE loop to iterate over
   memory far beyond the receive buffer.  Add an early return when
   pkt_len is too small.

2. WMM OUI comparison reads 6 bytes past a possibly short IE payload.

   For WLAN_EID_VENDOR_SPECIFIC, the code calls
   memcmp(pIE->data, WMM_PARA_OUI, 6) before checking
   pIE->length =3D=3D WLAN_WMM_LEN.  An IE with pIE->length < 6 causes
   memcmp to read into adjacent frame data.  Swap the condition so the
   length check comes first.

3. bwmode_update_check() missing minimum IE length check.

   bwmode_update_check() rejects IEs longer than
   sizeof(struct HT_info_element) but accepts any shorter length,
   including zero.  After the check it casts pIE->data to
   struct HT_info_element * and reads infos[0] (offset 1), which is
   out of bounds when pIE->length is 0 or 1.  Change the guard from
   > to !=3D to require the IE to be exactly the expected size.

Fixes: 554c0a3abf21 ("staging: Add rtl8723bs sdio wifi driver")
Cc: stable@vger.kernel.org
Signed-off-by: Alexandru Hossu <hossu.alexandru@gmail.com>
---
Changes in v5:
  - No code changes from v4.

Changes in v4:
  - Add pkt_len < _BEACON_IE_OFFSET_ + WLAN_HDR_A3_LEN guard before the
    len subtraction to prevent unsigned underflow (sashiko review of v3).
  - Swap WLAN_EID_VENDOR_SPECIFIC condition: check pIE->length =3D=3D
    WLAN_WMM_LEN before memcmp to avoid reading 6 bytes from a short IE
    payload (sashiko review of v3).
  - Fix bwmode_update_check(): change > sizeof(struct HT_info_element) to
    !=3D sizeof(struct HT_info_element) to also reject IEs shorter than the
    expected size, preventing the read of infos[0] on a zero-length IE
    (sashiko review of v3).

Changes in v3:
  - No code changes from v2.

Changes in v2:
  - Add IE loop header and payload bounds checks in update_beacon_info().
  - Use sizeof(*pIE) + pIE->length instead of pIE->length + 2 for
    consistency with the sizeof(*pIE) guards (Dan Carpenter).

 drivers/staging/rtl8723bs/core/rtw_wlan_util.c | 8 ++++++--
 1 file changed, 6 insertions(+), 2 deletions(-)

diff --git a/drivers/staging/rtl8723bs/core/rtw_wlan_util.c b/drivers/stagi=
ng/rtl8723bs/core/rtw_wlan_util.c
index dd34f229df12..6ea0d646b961 100644
--- a/drivers/staging/rtl8723bs/core/rtw_wlan_util.c
+++ b/drivers/staging/rtl8723bs/core/rtw_wlan_util.c
@@ -850,7 +850,7 @@ static void bwmode_update_check(struct adapter *padapte=
r, struct ndis_80211_var_
 	if (phtpriv->ht_option =3D=3D false)
 		return;
=20
-	if (pIE->length > sizeof(struct HT_info_element))
+	if (pIE->length !=3D sizeof(struct HT_info_element))
 		return;
=20
 	pHT_info =3D (struct HT_info_element *)pIE->data;
@@ -1287,6 +1287,9 @@ void update_beacon_info(struct adapter *padapter, u8 =
*pframe, uint pkt_len, stru
 	unsigned int len;
 	struct ndis_80211_var_ie *pIE;
=20
+	if (pkt_len < _BEACON_IE_OFFSET_ + WLAN_HDR_A3_LEN)
+		return;
+
 	len =3D pkt_len - (_BEACON_IE_OFFSET_ + WLAN_HDR_A3_LEN);
=20
 	for (i =3D 0; i < len;) {
@@ -1299,7 +1302,8 @@ void update_beacon_info(struct adapter *padapter, u8 =
*pframe, uint pkt_len, stru
 		switch (pIE->element_id) {
 		case WLAN_EID_VENDOR_SPECIFIC:
 			/* to update WMM parameter set while receiving beacon */
-			if (!memcmp(pIE->data, WMM_PARA_OUI, 6) && pIE->length =3D=3D WLAN_WMM_=
LEN)	/* WMM */
+			if (pIE->length =3D=3D WLAN_WMM_LEN &&
+			    !memcmp(pIE->data, WMM_PARA_OUI, 6))	/* WMM */
 				if (WMM_param_handler(padapter, pIE))
 					report_wmm_edca_update(padapter);
=20
--
2.53.0
From nobody Sat Jun 13 01:22:37 2026
Received: from mail-ej1-f41.google.com (mail-ej1-f41.google.com
 [209.85.218.41])
	(using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits))
	(No client certificate requested)
	by smtp.subspace.kernel.org (Postfix) with ESMTPS id B582243E9FF
	for <linux-kernel@vger.kernel.org>; Mon, 11 May 2026 17:06:05 +0000 (UTC)
Authentication-Results: smtp.subspace.kernel.org;
 arc=none smtp.client-ip=209.85.218.41
ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116;
	t=1778519167; cv=none;
 b=XIZ3JVVXb48Ltj4IEF/zm6uqmSLbxiiYHh4EPXXFeJBXuIPqZQl0Tk2m0eTDb9A/qci4EvzOqGeKqWNAbM9HkXN7L38iBtVCODfGZJEYw2HKwEHVMC9TOKjBS0n+vrwK2fP/1ynjwPR5LtIdNomC6GlekUHT545ZX1xbD7Xex2s=
ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org;
	s=arc-20240116; t=1778519167; c=relaxed/simple;
	bh=Rf0Cn4jll7ZOrJfZWaKXuFvQ+6Osk3POFETyOckuRjI=;
	h=From:To:Cc:Subject:Date:Message-ID:In-Reply-To:References:
	 MIME-Version;
 b=RlVE0xPqBNmF2C/BHKM+Td0KMDhmvw7Fls1nXX4GWBAdufTGzCQKU6XnUKudmgBnn3GI3VqS0JSd3LFOnGlR9b56hd7uM3ACsYoPB6xoeU9vAcKZrLB5qLcHiQ31wpZWMvc0MVDatSgPKu5kPk27srDZQjIZ7wZ2IYqZ+pffIuM=
ARC-Authentication-Results: i=1; smtp.subspace.kernel.org;
 dmarc=pass (p=none dis=none) header.from=gmail.com;
 spf=pass smtp.mailfrom=gmail.com;
 dkim=pass (2048-bit key) header.d=gmail.com header.i=@gmail.com
 header.b=cTLoJYb6; arc=none smtp.client-ip=209.85.218.41
Authentication-Results: smtp.subspace.kernel.org;
 dmarc=pass (p=none dis=none) header.from=gmail.com
Authentication-Results: smtp.subspace.kernel.org;
 spf=pass smtp.mailfrom=gmail.com
Authentication-Results: smtp.subspace.kernel.org;
	dkim=pass (2048-bit key) header.d=gmail.com header.i=@gmail.com
 header.b="cTLoJYb6"
Received: by mail-ej1-f41.google.com with SMTP id
 a640c23a62f3a-b79f8f7ea43so723664366b.2
        for <linux-kernel@vger.kernel.org>;
 Mon, 11 May 2026 10:06:05 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=gmail.com; s=20251104; t=1778519164; x=1779123964;
 darn=vger.kernel.org;
        h=content-transfer-encoding:mime-version:references:in-reply-to
         :message-id:date:subject:cc:to:from:from:to:cc:subject:date
         :message-id:reply-to;
        bh=IEyQ0dx4b99eyqrmXV2BKWIdSYpmr4F2ENUgwTR4Qko=;
        b=cTLoJYb6ejHKsXnV1MZkvkq/7hPBEyLPxiBHKrw32e//ED62c5+K/e0x/qtWBkwikh
         lw6/AydfD7VEhDxn2++erk4IzAT3pBwKWKOI0LThdj+a9uyzPYVfNnbkUmJ+FGi5jyAQ
         gO4ENidnHrAjoaDG6sFE7gbVW6lai/fvYEXMeY1SOCOC+OyxB4Dy1pOoMsHX3SwBXlty
         OuPNDxjOLsy3T7IVgel/08cP/OZSpr68bM2WB2+KykXU34y5ak+0LhYIk6icVVcPN3Ia
         cdMN+FqxT+8+o6qSDTExK2emyG85LtzuVkfidlvTB3g0bREaeJwFE/9rB7flD4wBM3hk
         7KqQ==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=1e100.net; s=20251104; t=1778519164; x=1779123964;
        h=content-transfer-encoding:mime-version:references:in-reply-to
         :message-id:date:subject:cc:to:from:x-gm-gg:x-gm-message-state:from
         :to:cc:subject:date:message-id:reply-to;
        bh=IEyQ0dx4b99eyqrmXV2BKWIdSYpmr4F2ENUgwTR4Qko=;
        b=HhTWeJEH0ZVErfUqyuYKje7gKdMv8604EySBVKl6vBzk32/7nTGlCOVwQxmtb4fjdY
         JVWd1M/CgpUx2+XytlaIfDRNVRv4nvBiInDieNsQ2b4Tny5yjycG6Zt8opdPangmR1eP
         UCbQw1mv04AviFaO43s5fpYN8/Ee3b60v9f5FAPStmOpDtf6Tt4ASmJaRjyiBOzBCt/l
         pdiKr0EvgCUj35dHgv13Xb7IipF5SqyiilvNfH1Lf/VO+PBxp4kmUSOs2d81JQzN26+1
         KuNl1jXvAmRsn4ZNNa6v5aqGQllnxkgdnUkg5DdfdgSBQ32HqprVr3RVRnVFUo3stLdp
         W4KA==
X-Forwarded-Encrypted: i=1;
 AFNElJ/ElQpZBLedTBHNSFF2OVk9ptIT+IkgdZQznGRBxa1wBm8xvU4+cdpLT+4ehikeltwzp2KmOuK6hBaKyjs=@vger.kernel.org
X-Gm-Message-State: AOJu0Yw3mK7fPAqofpfBjum0FaGQ/FDeKXNtKjQfgGcIv6pkGc0VrVTl
	u/dUBGDfqcJStBgdY68sIs/VVPSoEU8JoaLatKhZkOjOCavd9GIw4Fmo
X-Gm-Gg: Acq92OGsAVQGWXleuVufU4g8BU/qaZ4D5UxYLGP5nCz35j9fbt6yPeCXAcAk3RHRGSo
	wTcNOqjBA24ddIRzf9Y9xh0oWiJBiBAmloczaioC2AnjDN86zchY7Y25m75WdoDjUOWY1stBs0l
	UovREUyon6AcQyukWbvmHpnwFXpRQcNH9caPmSyI6uOknI/+UeqBatMNCeYoXVfpa98tJkQBHqF
	2+nwUb7vYfjl1qWXOGG81hCb19VJgAm/R9rTB73wmdJazb3GPwr72AyyRYMTHOSuS0sfzGPmhSx
	XyNFwIv/y7vWLvTClAkn0m6dZlEK3P/NHG5mq93Re/xKp9RwKsS3FyiUBzuEMRiZynUoWwN+bVC
	bv2lkVeKwbqQ9A5/+cwswRZP0xvUi0P6QFyJgSRauejbnwVNX5CcM6ly9g92xQh1fLLjkFnDrNj
	3BqImtwtIB0tkuX293RqTCO2LvW0o8KeARTGRMJd6o6FUvyUC+KTMeNvfj+aY8AgSh20e2cp6w3
	IwHW2NO7yXKeDl4Q4g2Fws2qTATwoa9rKHLHwvHsioHwjeYOkpYxOcDDSRJSbL/WA==
X-Received: by 2002:a17:907:da16:b0:bc2:e438:da0c with SMTP id
 a640c23a62f3a-bc56c72d871mr1459282166b.22.1778519163525;
        Mon, 11 May 2026 10:06:03 -0700 (PDT)
Received: from ahossu.localdomain ([2a02:a420:2368:9048:c0cb:8552:96ce:1210])
        by smtp.gmail.com with ESMTPSA id
 a640c23a62f3a-bccffbac588sm325319366b.6.2026.05.11.09.58.17
        (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256);
        Mon, 11 May 2026 10:06:02 -0700 (PDT)
From: Alexandru Hossu <hossu.alexandru@gmail.com>
To: greg@kroah.com
Cc: linux-staging@lists.linux.dev,
	linux-kernel@vger.kernel.org,
	stable@vger.kernel.org
Subject: [PATCH v5 2/3] staging: rtl8723bs: fix OOB reads in IE loops in
 issue_assocreq() and join_cmd_hdl()
Date: Mon, 11 May 2026 18:57:42 +0200
Message-ID: <20260511165743.1588637-3-hossu.alexandru@gmail.com>
X-Mailer: git-send-email 2.53.0
In-Reply-To: <20260511165743.1588637-1-hossu.alexandru@gmail.com>
References: <20260511165743.1588637-1-hossu.alexandru@gmail.com>
Precedence: bulk
X-Mailing-List: linux-kernel@vger.kernel.org
List-Id: <linux-kernel.vger.kernel.org>
List-Subscribe: <mailto:linux-kernel+subscribe@vger.kernel.org>
List-Unsubscribe: <mailto:linux-kernel+unsubscribe@vger.kernel.org>
MIME-Version: 1.0
Content-Transfer-Encoding: quoted-printable
Content-Type: text/plain; charset="utf-8"

Seven out-of-bounds read paths in the IE parsing loops of
issue_assocreq() and join_cmd_hdl():

1. Vendor-specific OUI comparison reads 4 bytes past a possibly short
   IE payload (issue_assocreq).

   For WLAN_EID_VENDOR_SPECIFIC, the code calls memcmp(pIE->data,
   OUI, 4) on RTW_WPA_OUI, WMM_OUI, and WPS_OUI without first
   verifying that pIE->length is at least 4.  Add pIE->length >=3D 4
   guard before the comparisons.

2. WPS truncation path passes vs_ie_length =3D 14 when pIE->length < 14
   (issue_assocreq).

   When wifi_spec is 0 and the IE matches WPS_OUI, the code sets
   vs_ie_length =3D 14 and passes pIE->data to rtw_set_ie() regardless
   of pIE->length.  If pIE->length is between 4 and 13, rtw_set_ie()
   reads up to (14 - pIE->length) bytes past the IE payload.  Skip the
   IE with break when pIE->length < 14.

3. HT Capability IE memcpy reads sizeof(struct HT_caps_element) bytes
   from an IE that may be shorter (issue_assocreq).

   The WLAN_EID_HT_CAPABILITY handler copies:

     memcpy(&pmlmeinfo->HT_caps, pIE->data, sizeof(struct HT_caps_element));

   If pIE->length < sizeof(struct HT_caps_element), the memcpy reads
   beyond the end of the IE payload.  Add a minimum length check and
   skip the IE if it is too short.

4. rtw_set_ie called with untrusted pIE->length for HT Capability
   (issue_assocreq).

   After the memcpy the code passes pIE->length directly to
   rtw_set_ie() as the IE body length.  If pIE->length exceeds
   sizeof(struct HT_caps_element), rtw_set_ie copies that many bytes
   from pmlmeinfo->HT_caps, reading past the end of the struct.
   Use sizeof(struct HT_caps_element) instead.

5. WMM guard in join_cmd_hdl() insufficient for WMM_param_handler().

   The WLAN_EID_VENDOR_SPECIFIC handler in join_cmd_hdl() calls
   WMM_param_handler() after a pIE->length >=3D 4 OUI check.
   WMM_param_handler() reads pIE->data + 6 and copies
   sizeof(struct WMM_para_element) =3D 18 bytes, requiring a minimum of
   24 bytes total.  Strengthen the guard to pIE->length >=3D WLAN_WMM_LEN.

6. HT Operation IE accessed without minimum length check (join_cmd_hdl).

   The WLAN_EID_HT_OPERATION handler casts pIE->data to
   struct HT_info_element * and reads pht_info->infos[0] (offset 1)
   without verifying pIE->length >=3D sizeof(struct HT_info_element).
   A zero- or one-byte HT Operation IE causes an out-of-bounds read.
   Add a minimum length check and break if the IE is too short.

7. Loop advancement uses literal 2 instead of sizeof(*pIE) in both
   loops.

   i +=3D (pIE->length + 2) is functionally equivalent to
   i +=3D sizeof(*pIE) + pIE->length today, but the literal 2 is
   inconsistent with the sizeof(*pIE) guards added at the top of each
   loop.  Use sizeof(*pIE) + pIE->length for consistency.

Fixes: 554c0a3abf21 ("staging: Add rtl8723bs sdio wifi driver")
Cc: stable@vger.kernel.org
Signed-off-by: Alexandru Hossu <hossu.alexandru@gmail.com>
---
Changes in v5:
  - In the WPS truncation path of issue_assocreq(), v4 set
    vs_ie_length =3D 14 and called rtw_set_ie() with pIE->data even when
    pIE->length < 14, reading (14 - pIE->length) bytes past the IE
    payload.  Fixed by breaking out of the switch when pIE->length < 14
    (sashiko review of v4).
  - The WMM guard in join_cmd_hdl() was pIE->length >=3D 4, sufficient for
    the OUI check but not for WMM_param_handler(), which reads
    pIE->data + 6 and copies sizeof(struct WMM_para_element) =3D 18 bytes
    (total 24).  Strengthened to pIE->length >=3D WLAN_WMM_LEN
    (sashiko review of v4).

Changes in v4:
  - Add pIE->length >=3D 4 guard before the 4-byte OUI memcmps in the
    WLAN_EID_VENDOR_SPECIFIC cases of both functions (sashiko review of v3).
  - In issue_assocreq() WLAN_EID_HT_CAPABILITY: add minimum length check
    (pIE->length < sizeof(struct HT_caps_element)) and use
    sizeof(struct HT_caps_element) instead of pIE->length in rtw_set_ie()
    to prevent OOB reads past the HT_caps struct (sashiko review of v3).
  - In join_cmd_hdl() WLAN_EID_HT_OPERATION: add minimum length check
    (pIE->length < sizeof(struct HT_info_element)) before casting pIE->data
    to struct HT_info_element * and reading infos[0] (sashiko review of v3).

Changes in v3:
  - No code changes from v2.

Changes in v2:
  - Add IE loop header and payload bounds checks for issue_assocreq()
    and join_cmd_hdl().

 drivers/staging/rtl8723bs/core/rtw_mlme_ext.c | 26 ++++++++++++++++++-----=
---
 1 file changed, 18 insertions(+), 8 deletions(-)

diff --git a/drivers/staging/rtl8723bs/core/rtw_mlme_ext.c b/drivers/stagin=
g/rtl8723bs/core/rtw_mlme_ext.c
index 68ce422305ed..0c4a73805d39 100644
--- a/drivers/staging/rtl8723bs/core/rtw_mlme_ext.c
+++ b/drivers/staging/rtl8723bs/core/rtw_mlme_ext.c
@@ -2943,9 +2943,10 @@ void issue_assocreq(struct adapter *padapter)
=20
 		switch (pIE->element_id) {
 		case WLAN_EID_VENDOR_SPECIFIC:
-			if ((!memcmp(pIE->data, RTW_WPA_OUI, 4)) ||
+			if (pIE->length >=3D 4 &&
+			    ((!memcmp(pIE->data, RTW_WPA_OUI, 4)) ||
 					(!memcmp(pIE->data, WMM_OUI, 4)) ||
-					(!memcmp(pIE->data, WPS_OUI, 4))) {
+					(!memcmp(pIE->data, WPS_OUI, 4)))) {
 				vs_ie_length =3D pIE->length;
 				if ((!padapter->registrypriv.wifi_spec) && (!memcmp(pIE->data, WPS_OUI=
, 4))) {
 					/* Commented by Kurt 20110629
@@ -2953,7 +2954,8 @@ void issue_assocreq(struct adapter *padapter)
 					 * would be fail if we append vendor
 					 * extensions information to AP
 					 */
-
+					if (pIE->length < 14)
+						break;
 					vs_ie_length =3D 14;
 				}
=20
@@ -2967,8 +2969,10 @@ void issue_assocreq(struct adapter *padapter)
 		case WLAN_EID_HT_CAPABILITY:
 			if (padapter->mlmepriv.htpriv.ht_option) {
 				if (!(is_ap_in_tkip(padapter))) {
+					if (pIE->length < sizeof(struct HT_caps_element))
+						break;
 					memcpy(&(pmlmeinfo->HT_caps), pIE->data, sizeof(struct HT_caps_elemen=
t));
-					pframe =3D rtw_set_ie(pframe, WLAN_EID_HT_CAPABILITY, pIE->length, (u=
8 *)(&(pmlmeinfo->HT_caps)), &(pattrib->pktlen));
+					pframe =3D rtw_set_ie(pframe, WLAN_EID_HT_CAPABILITY, sizeof(struct H=
T_caps_element), (u8 *)(&(pmlmeinfo->HT_caps)), &(pattrib->pktlen));
 				}
 			}
 			break;
@@ -2981,7 +2985,7 @@ void issue_assocreq(struct adapter *padapter)
 			break;
 		}
=20
-		i +=3D (pIE->length + 2);
+		i +=3D sizeof(*pIE) + pIE->length;
 	}
=20
 	if (pmlmeinfo->assoc_AP_vendor =3D=3D HT_IOT_PEER_REALTEK)
@@ -5340,7 +5344,8 @@ u8 join_cmd_hdl(struct adapter *padapter, u8 *pbuf)
=20
 		switch (pIE->element_id) {
 		case WLAN_EID_VENDOR_SPECIFIC:/* Get WMM IE. */
-			if (!memcmp(pIE->data, WMM_OUI, 4))
+			if (pIE->length >=3D WLAN_WMM_LEN &&
+			    !memcmp(pIE->data, WMM_OUI, 4))
 				WMM_param_handler(padapter, pIE);
 			break;
=20
@@ -5353,7 +5358,12 @@ u8 join_cmd_hdl(struct adapter *padapter, u8 *pbuf)
=20
 			/* spec case only for cisco's ap because cisco's ap issue assoc rsp usi=
ng mcs rate @40MHz or @20MHz */
 			{
-				struct HT_info_element *pht_info =3D (struct HT_info_element *)(pIE->d=
ata);
+				struct HT_info_element *pht_info;
+
+				if (pIE->length < sizeof(struct HT_info_element))
+					break;
+
+				pht_info =3D (struct HT_info_element *)(pIE->data);
=20
 				if (pnetwork->configuration.ds_config <=3D 14) {
 					if ((pregpriv->bw_mode & 0x0f) > CHANNEL_WIDTH_20)
@@ -5384,7 +5394,7 @@ u8 join_cmd_hdl(struct adapter *padapter, u8 *pbuf)
 			break;
 		}
=20
-		i +=3D (pIE->length + 2);
+		i +=3D sizeof(*pIE) + pIE->length;
 	}
=20
 	/* check channel, bandwidth, offset and switch */
--
2.53.0
From nobody Sat Jun 13 01:22:37 2026
Received: from mail-ej1-f43.google.com (mail-ej1-f43.google.com
 [209.85.218.43])
	(using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits))
	(No client certificate requested)
	by smtp.subspace.kernel.org (Postfix) with ESMTPS id B0248449EB1
	for <linux-kernel@vger.kernel.org>; Mon, 11 May 2026 17:06:10 +0000 (UTC)
Authentication-Results: smtp.subspace.kernel.org;
 arc=none smtp.client-ip=209.85.218.43
ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116;
	t=1778519172; cv=none;
 b=ixJhnFsl/HHnw5QlHOE3cimsSTZZ+xebbc590rd8oy1U/iWOalSqWxQ4SEtS6AfncsMJYkM+UsFgOMx8LweTm+exTSZBNNaAYs8NYIYOVZKcQUWlnpEGz1cE6RJEH21I6l/iDXd7dR3vDMLlotcy7iHxfU1dFuUc5zmRaRrAmPI=
ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org;
	s=arc-20240116; t=1778519172; c=relaxed/simple;
	bh=fvBHmQK/Aon06zpbGAi0GixFIKSfHZv5VmbC296WFB0=;
	h=From:To:Cc:Subject:Date:Message-ID:In-Reply-To:References:
	 MIME-Version;
 b=PRAeGyPGB5taEDTipWDTcIlptVgLba3saX7DjxpuUrlLwEEsJMxMrAb88Ho8pZkaWy/cD3bcZLsNrfdh7nkGUiSjkHmppkd5XRsMM3lMVsRGJ59yThZodReKlOxVyLsT7m6FCgQC7kpG9csiLA22T85DLOqQhyiGWi24AD+ajAk=
ARC-Authentication-Results: i=1; smtp.subspace.kernel.org;
 dmarc=pass (p=none dis=none) header.from=gmail.com;
 spf=pass smtp.mailfrom=gmail.com;
 dkim=pass (2048-bit key) header.d=gmail.com header.i=@gmail.com
 header.b=SwFnSdSh; arc=none smtp.client-ip=209.85.218.43
Authentication-Results: smtp.subspace.kernel.org;
 dmarc=pass (p=none dis=none) header.from=gmail.com
Authentication-Results: smtp.subspace.kernel.org;
 spf=pass smtp.mailfrom=gmail.com
Authentication-Results: smtp.subspace.kernel.org;
	dkim=pass (2048-bit key) header.d=gmail.com header.i=@gmail.com
 header.b="SwFnSdSh"
Received: by mail-ej1-f43.google.com with SMTP id
 a640c23a62f3a-bc66ad3742fso746633466b.1
        for <linux-kernel@vger.kernel.org>;
 Mon, 11 May 2026 10:06:10 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=gmail.com; s=20251104; t=1778519169; x=1779123969;
 darn=vger.kernel.org;
        h=content-transfer-encoding:mime-version:references:in-reply-to
         :message-id:date:subject:cc:to:from:from:to:cc:subject:date
         :message-id:reply-to;
        bh=ekBwyg4HrSCpTTMTvNYpg3hZClkHuRIw3pfp/Je02wk=;
        b=SwFnSdShS1QT/npAP3mMLdK1EAxInT9GX+m+801l/On64Ioch3EFoPCQbsWlHFKa06
         +juw4ud2KOGkr7HKMu5AeLvtPoELjpVnQ8BKGdVSP4of0cXbus9GQiNgqWRXacVDzj3e
         XJDINqhbyQU6rt91QVwyfW7kE19F+YzhR6DOs4xx7ILMRU4C434t0BwJvJCpis+8KDys
         G6ODFqa7USIsuXzLRHIAxz9UxRYlIwyK20zlulJDtKB4/ALdMQwjJQZ2PdWCb1csuZ3e
         rKyN+GQa9s2x50LimdwWkjlGGgpExf81fsGwq4JwkRqprM8VRCx9UB8BFmllG1Fw8izD
         OEAQ==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=1e100.net; s=20251104; t=1778519169; x=1779123969;
        h=content-transfer-encoding:mime-version:references:in-reply-to
         :message-id:date:subject:cc:to:from:x-gm-gg:x-gm-message-state:from
         :to:cc:subject:date:message-id:reply-to;
        bh=ekBwyg4HrSCpTTMTvNYpg3hZClkHuRIw3pfp/Je02wk=;
        b=ZTHC4saJmMIX0lskLgXZ5aWIJhgMt1iGmK0MUAAXP948tdBhRO4X0PzzWl1o+miPSE
         OBuhFj7ZDfShF8PIWjgAYvCPN+QlUegQZRTAtkRTX4DBYZ26KFXwHki+9omW6TjNnOca
         rSZlaai3SQAbLsyaxNNbPfQBGqWtSElU9s0ku169spoS4DfdBf9/ET9hUm7vxwqz5Sfr
         9jfkm087Qy/8XI93Le2VXpNRrhO4CXlpCC0tBQPzgHzAK0kkEv9hjDWj8u9Wv9SGNqJO
         KaqGpQ9lifI7fwZB2IgxwrtW50w0WPKvTJEjmClVxdNUsfDd5KuwJ8919wHFr41CRSFy
         +4/A==
X-Forwarded-Encrypted: i=1;
 AFNElJ8ujrlePwmULCQ5n1ysVgV5BopTJOEQCg7Hwy+j8u4Vej50mw86oawpwK7YV8BE4pedTv+sDz+7wejNa1Q=@vger.kernel.org
X-Gm-Message-State: AOJu0Yyt3sS8vmFKz75/kfBgol4t53EieBfysBUsWUTOFrHk3Vzoju6J
	Qshk+OsZgJpv+Xogtxi5Ogm7uvXMHkQ+q7awAmCRu0VN12Ucj6GfJaoId4cdRw==
X-Gm-Gg: Acq92OG8R/U4kr0nTotisT6BlOP1unLwUlzW4oFUfQRb292mzB2H3wTQkWBOV+jlOBS
	2RqGMNpm9V7YqzpOXYxiZkCJL0SqnSCBwuRLDA0GfcTD/47aWgrTxC40UCfOQlpcrDgZ3bRX5h+
	lwVIZKK98lSxvq42yNF8tI4pCjM3YEqKgXMGuZxUuOuR+UdY/2CSL67u7+GShpKwTmV9nN9uqgM
	T2xIjLFbiQ/4Gho6cx3KnBtwSLkXMSNaLlgVVTZv89mF4ldEgtTEqvyjpbp4xZHpxWMafkxJOHS
	vdQuPGvNyV5CnnO6uu6GC/mnR8G+rJzEb0bPfKG0ExFk5lxa42cyH7xdaY72mlHYCZx0Au6jZUl
	D2txEkqWrBmrea8NLD6F+vShhndXXir6ZELxK7YwxUGIx6TVhTIPl8mIoXpb6DSRlBRCHHpVvZE
	XZ2GYPihYxKcQZc0OY3PehkX2oODHpoS37FT0FHp3N4fwxDQxZE2pgmIel61JHdkKGpBL0Ai0Os
	WrEwuHmWjI1GAX2hVzcHmKWEjVmFm72/aNkwucjxzZleK5AFfrwWszuBjAl0hPZVLCX06O7Cn11
X-Received: by 2002:a17:907:988:b0:bbe:37ee:8a2b with SMTP id
 a640c23a62f3a-bcaac454c4dmr862165166b.33.1778519168856;
        Mon, 11 May 2026 10:06:08 -0700 (PDT)
Received: from ahossu.localdomain ([2a02:a420:2368:9048:c0cb:8552:96ce:1210])
        by smtp.gmail.com with ESMTPSA id
 a640c23a62f3a-bccffbac588sm325319366b.6.2026.05.11.10.06.06
        (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256);
        Mon, 11 May 2026 10:06:08 -0700 (PDT)
From: Alexandru Hossu <hossu.alexandru@gmail.com>
To: greg@kroah.com
Cc: linux-staging@lists.linux.dev,
	linux-kernel@vger.kernel.org,
	stable@vger.kernel.org
Subject: [PATCH v5 3/3] staging: rtl8723bs: fix OOB reads in rtw_get_wps_ie()
Date: Mon, 11 May 2026 18:57:43 +0200
Message-ID: <20260511165743.1588637-4-hossu.alexandru@gmail.com>
X-Mailer: git-send-email 2.53.0
In-Reply-To: <20260511165743.1588637-1-hossu.alexandru@gmail.com>
References: <20260511165743.1588637-1-hossu.alexandru@gmail.com>
Precedence: bulk
X-Mailing-List: linux-kernel@vger.kernel.org
List-Id: <linux-kernel.vger.kernel.org>
List-Subscribe: <mailto:linux-kernel+subscribe@vger.kernel.org>
List-Unsubscribe: <mailto:linux-kernel+unsubscribe@vger.kernel.org>
MIME-Version: 1.0
Content-Transfer-Encoding: quoted-printable
Content-Type: text/plain; charset="utf-8"

Three out-of-bounds read paths in rtw_get_wps_ie():

1. rtw_get_wps_ie() reads the IE length byte without a header bounds
   check.

   The loop only guards on cnt < in_len, so when the buffer ends with
   a single element_id byte and no length byte, in_ie[cnt + 1] is read
   one byte past the end of the buffer.  Add a check that at least
   two header bytes remain (cnt + 2 <=3D in_len) before reading
   in_ie[cnt + 1].

2. rtw_get_wps_ie() does not verify the declared IE payload fits within
   in_len.

   After reading the length byte, the loop does not verify that
   in_ie[cnt + 1] + 2 bytes are available starting at cnt.  A crafted
   length value can cause the subsequent memcmp and memcpy to read past
   the end of the buffer.  Add a check that the full IE (header plus
   payload) fits within in_len.

3. rtw_get_wps_ie() reads 4 bytes from the IE payload via memcmp
   without checking that pIE->length >=3D 4.

   The code calls memcmp(&in_ie[cnt + 2], wps_oui, 4) without first
   verifying that the IE payload is at least 4 bytes long.  Add an
   in_ie[cnt + 1] >=3D 4 guard before the comparison.

Fixes: 554c0a3abf21 ("staging: Add rtl8723bs sdio wifi driver")
Cc: stable@vger.kernel.org
Signed-off-by: Alexandru Hossu <hossu.alexandru@gmail.com>
---
Changes in v5:
  - No code changes from v4.

Changes in v4:
  - Add two IE bounds checks in rtw_get_wps_ie(): break if fewer than two
    header bytes remain, and break if the declared payload extends past
    in_len; add in_ie[cnt + 1] >=3D 4 guard before the 4-byte WPS OUI memcmp
    (sashiko review of v3).

Changes in v3:
  - No code changes from v2.

Changes in v2:
  - Add explicit size checks in rtw_cfg80211_set_wpa_ie() before memcpy
    to prevent the 256-byte supplicant_ie buffer overflow (now in tree
    as 92f3954ca9e9).

 drivers/staging/rtl8723bs/core/rtw_ieee80211.c | 9 ++++++++-
 1 file changed, 8 insertions(+), 1 deletion(-)

diff --git a/drivers/staging/rtl8723bs/core/rtw_ieee80211.c b/drivers/stagi=
ng/rtl8723bs/core/rtw_ieee80211.c
index 72b7f731dd47..d6d5f3a8db4c 100644
--- a/drivers/staging/rtl8723bs/core/rtw_ieee80211.c
+++ b/drivers/staging/rtl8723bs/core/rtw_ieee80211.c
@@ -661,7 +661,14 @@ u8 *rtw_get_wps_ie(u8 *in_ie, uint in_len, u8 *wps_ie,=
 uint *wps_ielen)
 	while (cnt < in_len) {
 		eid =3D in_ie[cnt];
=20
-		if ((eid =3D=3D WLAN_EID_VENDOR_SPECIFIC) && (!memcmp(&in_ie[cnt + 2], w=
ps_oui, 4))) {
+		if (cnt + 2 > in_len)
+			break;
+
+		if (in_ie[cnt + 1] + 2 > in_len - cnt)
+			break;
+
+		if ((eid =3D=3D WLAN_EID_VENDOR_SPECIFIC) && (in_ie[cnt + 1] >=3D 4) &&
+		    (!memcmp(&in_ie[cnt + 2], wps_oui, 4))) {
 			wpsie_ptr =3D &in_ie[cnt];
=20
 			if (wps_ie)
--
2.53.0