1. Patchew
  2. linux
  3. View series

[PATCH v7 0/7] staging: rtl8723bs: fix OOB reads and writes in IE/attribute parsing

Alexandru Hossu posted 7 patches 2 days, 17 hours ago 
.../staging/rtl8723bs/core/rtw_ieee80211.c    | 15 ++++++++++++
drivers/staging/rtl8723bs/core/rtw_mlme_ext.c | 12 ++++++++++
.../staging/rtl8723bs/core/rtw_wlan_util.c    | 23 +++++++++++++++----
.../staging/rtl8723bs/os_dep/ioctl_cfg80211.c |  8 +++++++
4 files changed, 53 insertions(+), 5 deletions(-)
[PATCH v7 0/7] staging: rtl8723bs: fix OOB reads and writes in IE/attribute parsing
Posted by Alexandru Hossu 2 days, 17 hours ago 
Fix out-of-bounds memory accesses in several IE and attribute parsing
paths of the rtl8723bs driver.  All affected functions iterate over
attacker-controlled IE data from over-the-air frames without validating
header or payload bounds before dereferencing.

Alexandru Hossu (7):
  staging: rtl8723bs: fix OOB read in update_beacon_info() IE loop
  staging: rtl8723bs: fix OOB reads in IE loops in issue_assocreq() and
    join_cmd_hdl()
  staging: rtl8723bs: fix heap buffer overflow in
    rtw_cfg80211_set_wpa_ie()
  staging: rtl8723bs: fix OOB write in HT_caps_handler()
  staging: rtl8723bs: fix OOB read in OnAssocRsp() IE loop
  staging: rtl8723bs: fix OOB reads in is_ap_in_tkip() IE loop
  staging: rtl8723bs: fix OOB reads in rtw_get_sec_ie(),
    rtw_get_wapi_ie(), and rtw_get_wps_attr()

 .../staging/rtl8723bs/core/rtw_ieee80211.c    | 15 ++++++++++++
 drivers/staging/rtl8723bs/core/rtw_mlme_ext.c | 12 ++++++++++
 .../staging/rtl8723bs/core/rtw_wlan_util.c    | 23 +++++++++++++++----
 .../staging/rtl8723bs/os_dep/ioctl_cfg80211.c |  8 +++++++
 4 files changed, 53 insertions(+), 5 deletions(-)

---
v7: no code changes; add full version history to cover letter (omitted
    from v6)
v6: add two patches addressing issues found during v5 review.
    Patch 6 adds IE header bounds checks and payload length guards to
    is_ap_in_tkip().  Patch 7 adds header and payload bounds checks to
    rtw_get_sec_ie(), rtw_get_wapi_ie(), and rtw_get_wps_attr().
v5: patch 2: fix WPS truncation path reading past IE payload when
    pIE->length < 14; strengthen WMM guard in join_cmd_hdl() from
    pIE->length >= 4 to >= WLAN_WMM_LEN
v4: patch 1: add pkt_len underflow guard; fix WLAN_EID_VENDOR_SPECIFIC
    condition ordering; fix bwmode_update_check() IE length check from
    > to !=.  Patch 2: add pIE->length >= 4 OUI guards; add HT_caps and
    HT_info minimum length checks.  Patch 3: add bounds checks in
    rtw_get_wps_ie(); add WPS OUI length guard.
v3: add Fixes: 554c0a3abf21 and Cc: stable@vger.kernel.org to all
    patches; move Reviewed-by above Signed-off-by
v2: patch 1: rewrite loop increment as sizeof(*pIE) + pIE->length for
    consistency with the sizeof(*pIE) guards (Dan Carpenter)
v1: initial submission

v6: https://lore.kernel.org/r/20260521130330.754181-1-hossu.alexandru@gmail.com
v5: https://lore.kernel.org/r/20260511165743.1588637-1-hossu.alexandru@gmail.com
v4: https://lore.kernel.org/r/20260505173818.3674164-1-hossu.alexandru@gmail.com
v3: https://lore.kernel.org/r/20260427081626.3393697-1-hossu.alexandru@gmail.com
v2: https://lore.kernel.org/r/20260426095156.3523480-1-hossu.alexandru@gmail.com
v1: https://lore.kernel.org/r/20260424151932.3734611-1-hossu.alexandru@gmail.com
--
2.54.0

Patchew 2.1-devel-ea86937

© 2016 - 2026 Red Hat, Inc.