From nobody Sun May 24 19:34:45 2026 Received: from mail-ed1-f48.google.com (mail-ed1-f48.google.com [209.85.208.48]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id B5597282F34 for ; Fri, 22 May 2026 00:46:09 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=209.85.208.48 ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1779410771; cv=none; b=eaEPOTKPJVcPw7FcVxG3evG6A4Yg3qU1tY04qESyX0xfyWXDczNQZCo81J+LYCmq1ULvKVl8U8d2irjlawKqLZI1Ut0bgFKf/HtCU5ZmtrJc3ZkSvK5O3/AjCVKsTfdfqIiRPHaP+dYl8IJpL2sUwyR5GnaZ7f4PNy9V4PVjY4w= ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1779410771; c=relaxed/simple; bh=SZ6iIQiWartgOTaRV20kjPJz0KhW6LdfmYVl452V6ac=; h=From:To:Cc:Subject:Date:Message-ID:In-Reply-To:References: MIME-Version; b=MHTslXhTD4V3HGQ8rvjfRcJ9V2wgo8Bxu7kFwenAHD6BeuWrH6ZBKrtE2qLF4QWh3DF5R61OfIVdHYpVtI6HZwYaOmjHnjuG3iRO/DxU/iAPZ1FDOp+VDG244l9mFpTZaeU6uKyY9abN0fvrbNRVBLM1aDD1zkkuxSX5iLBIpio= ARC-Authentication-Results: i=1; smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=gmail.com; spf=pass smtp.mailfrom=gmail.com; dkim=pass (2048-bit key) header.d=gmail.com header.i=@gmail.com header.b=PZUIghX7; arc=none smtp.client-ip=209.85.208.48 Authentication-Results: smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=gmail.com Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=gmail.com Authentication-Results: smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=gmail.com header.i=@gmail.com header.b="PZUIghX7" Received: by mail-ed1-f48.google.com with SMTP id 4fb4d7f45d1cf-67bb5ad91bfso14109040a12.0 for ; Thu, 21 May 2026 17:46:09 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20251104; t=1779410768; x=1780015568; darn=vger.kernel.org; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:from:to:cc:subject:date :message-id:reply-to; bh=5gR4iXkLc+1Doc0CtFipdBHFsWa2YpiIn7RpSK8c9C0=; b=PZUIghX7omzyxwyV7kKDnvMaOTyPLh1iKEPP8JI4LxAEjueG9PXefFU1d47ZYjtWvK YMEv6XOBpeUT/JU+Vshd4g1Y+SWw4eSY1r6XJwdAWw2GgioZcQbSew1ktqH0iNB1S+NB q6/vqwvbfNnxhAAhk61pCO58aCXEjdiFUMMk8VCNg3NnF8mbmlmkTb0C7G0V3FSyChYV Nysdx2/yYUl0bfqmTqODlILkagcPiDBCiEGle6gHGMOTUCORTrre8Nju3+7ACVevIu0v cNSjFuURcMhu6rJkLDgkTmiUdTPslYJC+1Vc8SdBD9uIGlhw+wnN2mrhkrjoFA9mjgFY dvRw== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20251104; t=1779410768; x=1780015568; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:x-gm-gg:x-gm-message-state:from :to:cc:subject:date:message-id:reply-to; bh=5gR4iXkLc+1Doc0CtFipdBHFsWa2YpiIn7RpSK8c9C0=; b=afXmwTfEktu4ShUtz35bHMy5A2zAp8/+i+6aBNetvFT6fsnWcTYqPj/q+9SUokUUuF 5+47/5nY8L7WGeRI9VxAaSHMTmiXOBBrkCucBfa/vrwB51+tnrgBIMDvRRYPaKbMRtmr Wv3HFZxmHR1K0alqVfSxndpjpGoTi9bcCFPmEdMhZoTySbO5DRVZcoHEEMWr25/QMqK2 Y7i9lO3kXOu43mENwSgs54AQu93//aHyRQxjor7TZUPLkTkx1tOt5kdJeM5ZojCYmrik XVxJfEtT2O4ur97ZIac5FvCqPCITPJy+EfocgjPnRvN8rC5Ji1TRFtE/c0pgBAEFxv+B 0+DA== X-Forwarded-Encrypted: i=1; AFNElJ/UkeEYFSvvQrtsje+rDVnrQGMVHm0Kryx0SRlIIt/CqJ1XpfBti2N+297ooJcnVQKteUpbjWg33yBPbSI=@vger.kernel.org X-Gm-Message-State: AOJu0YwUvVosRx+4PhtcgNn8yGWGR5PRketFjPFoqPfqTNeO8kXtopWK dTWINHP8Eqzgd9H2ik6RXpXJkTymTRSHZtKy5fzXpOVWTW3k7plkrDCw X-Gm-Gg: Acq92OG5kQqn9EBmk7Es8oS6U75Woyf2nsWmq1cVWLryBG3YDcVeiF67OzUQG8DiNq6 8rpa14vY1bhSVIKf7u6BFzPkZeCxbh25HWISbNDnvJrrZ2dZH4f/IOjfV+tDGR+pEOWN72mS868 OAWdbHpPlKnBQRhOGYu7t0dS2La/N0mAb+eWENTDpE1kGuRGE2LB4gI+9vvXKWGCjqY73rQO1fQ iOKcjMn5F0dO0r9Le15wvwjR/eNWdYxcIwMKSY+vZ/dXuQMk4XAqJa4mbHTMLZqMQwe7P+g3t8M b4Aud7OQNauEYx+mooC1XnlDMMpI/JFhPz0h6mb/woqJyFLbYjI3vN/eVnCBj1tiMdGWlY1kTmR Mlfnb4fUAscPObyNUuQhz5Wk+zlSa4Ez/oT1azF4h7ZTP9UJnESuHoCnNbcQEWFsvjMES4T2F3b OeV8RSb4HuliK/aXvsoKE9nJopqBqLKEPitGQlgfMTgjAbwlx1gvcKiqgeoaMDR3VTbIeNT4dBc ZrDScaGFgvYs78zVYU+eNuB0/6rrj4C9YjGbxDpI+HQHBAI+QNpYgvEdFqed9xu+a9zds6ftoeR tg/6PX9DdJAOr9jGtEUlIxoDDsipwpeNNFZnV9c= X-Received: by 2002:a05:6402:5256:b0:683:be46:c20c with SMTP id 4fb4d7f45d1cf-6889c475078mr499077a12.16.1779410768134; Thu, 21 May 2026 17:46:08 -0700 (PDT) Received: from ahossu.localdomain (ip-217-105-56-94.ip.prioritytelecom.net. [217.105.56.94]) by smtp.gmail.com with ESMTPSA id 4fb4d7f45d1cf-688b72cbbf3sm3535a12.0.2026.05.21.17.46.04 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Thu, 21 May 2026 17:46:06 -0700 (PDT) From: Alexandru Hossu To: gregkh@linuxfoundation.org Cc: linux-staging@lists.linux.dev, linux-kernel@vger.kernel.org, luka.gejak@linux.dev, Alexandru Hossu , stable@vger.kernel.org Subject: [PATCH v7 1/7] staging: rtl8723bs: fix OOB read in update_beacon_info() IE loop Date: Fri, 22 May 2026 02:45:25 +0200 Message-ID: <20260522004531.1038924-2-hossu.alexandru@gmail.com> X-Mailer: git-send-email 2.54.0 In-Reply-To: <20260522004531.1038924-1-hossu.alexandru@gmail.com> References: <20260521130330.754181-1-hossu.alexandru@gmail.com> <20260522004531.1038924-1-hossu.alexandru@gmail.com> Precedence: bulk X-Mailing-List: linux-kernel@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 Content-Transfer-Encoding: quoted-printable Content-Type: text/plain; charset="utf-8" The IE parsing loop in update_beacon_info() advances by (pIE->length + 2) each iteration but only guards on i < len. When a malicious AP sends a Beacon whose last IE has only one byte remaining in the frame (the element_id byte lands at len-1), the loop reads pIE->length from one byte past the allocated receive buffer. Additionally, even when the header bytes are in bounds, pIE->length itself can extend the data window beyond len, passing a truncated IE to the handler functions. Add two guards at the top of the loop body: 1. Break if fewer than sizeof(*pIE) bytes remain (can't read header). 2. Break if the IE's declared data extends past len. Also replace i +=3D (pIE->length + 2) with i +=3D sizeof(*pIE) + pIE->length for consistency with the sizeof(*pIE) guards added above. Fixes: 554c0a3abf21 ("staging: Add rtl8723bs sdio wifi driver") Cc: stable@vger.kernel.org Reviewed-by: Luka Gejak Signed-off-by: Alexandru Hossu --- drivers/staging/rtl8723bs/core/rtw_wlan_util.c | 6 +++++- 1 file changed, 5 insertions(+), 1 deletion(-) diff --git a/drivers/staging/rtl8723bs/core/rtw_wlan_util.c b/drivers/stagi= ng/rtl8723bs/core/rtw_wlan_util.c index 6a7c09db4cd9..e0d73c267786 100644 --- a/drivers/staging/rtl8723bs/core/rtw_wlan_util.c +++ b/drivers/staging/rtl8723bs/core/rtw_wlan_util.c @@ -1289,7 +1289,11 @@ void update_beacon_info(struct adapter *padapter, u8= *pframe, uint pkt_len, stru len =3D pkt_len - (_BEACON_IE_OFFSET_ + WLAN_HDR_A3_LEN); =20 for (i =3D 0; i < len;) { + if (i + sizeof(*pIE) > len) + break; pIE =3D (struct ndis_80211_var_ie *)(pframe + (_BEACON_IE_OFFSET_ + WLAN= _HDR_A3_LEN) + i); + if (i + sizeof(*pIE) + pIE->length > len) + break; =20 switch (pIE->element_id) { case WLAN_EID_VENDOR_SPECIFIC: @@ -1314,7 +1318,7 @@ void update_beacon_info(struct adapter *padapter, u8 = *pframe, uint pkt_len, stru break; } =20 - i +=3D (pIE->length + 2); + i +=3D sizeof(*pIE) + pIE->length; } } =20 --=20 2.54.0 From nobody Sun May 24 19:34:45 2026 Received: from mail-ed1-f49.google.com (mail-ed1-f49.google.com [209.85.208.49]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id 7F6D2274FE3 for ; Fri, 22 May 2026 00:46:13 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=209.85.208.49 ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1779410775; cv=none; b=UTwQk20MSbXTNjwq2cc3K7UoX8OilfkwvQQwK2TbETjxOc8AYwIazgeuxmPbABM+POoL/SH/Sj/xp2dnFLC93ENgwg17bhBDhkFpll2EydA5s1Y1S3/haEVEnhJFLHakwag4LA0jx1MlCY+T9ChqL0R1+KafB+8HryKfOmZFfXc= ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1779410775; c=relaxed/simple; bh=HrGZAnQwY9MJbd/wv7fd5eZFlQP7idEHOmDb1AkwUaE=; h=From:To:Cc:Subject:Date:Message-ID:In-Reply-To:References: MIME-Version; b=N8cLnhkGxjNtsqIGhu0Kiz8CDrZRoM2LgoxUvWyPGIYAkfVOd7e0PjLn0GVPjsys5TEMyqE894+RIE74nlETniY87AvzKPnXWlE9O/U4f8dtvgN6G7HI5v30BmpnEAQRbfMncxE3EDiDUIulOY7lRQFFsfzdFrM+Gu5lmZ4yiDs= ARC-Authentication-Results: i=1; smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=gmail.com; spf=pass smtp.mailfrom=gmail.com; dkim=pass (2048-bit key) header.d=gmail.com header.i=@gmail.com header.b=dOmiqFM3; arc=none smtp.client-ip=209.85.208.49 Authentication-Results: smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=gmail.com Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=gmail.com Authentication-Results: smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=gmail.com header.i=@gmail.com header.b="dOmiqFM3" Received: by mail-ed1-f49.google.com with SMTP id 4fb4d7f45d1cf-67f94c078e8so10898588a12.1 for ; Thu, 21 May 2026 17:46:13 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20251104; t=1779410772; x=1780015572; darn=vger.kernel.org; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:from:to:cc:subject:date :message-id:reply-to; bh=GuMzZ0oPIB63SQlMEwBPtCu4kk4sfKKOYS1JICO/Nwc=; b=dOmiqFM3lj29GWbIcJQ01h1f5w7HS30Ctx3zmow+b4R63it57Y8Dl8zZLNX2IgE0Ck SyVG1HNUnxH/SUwChPyBDgzj7F9+9xg0z0C5271E41WOicknE9IhVH5LMgA+pljC6S5Y QI8grfUcOskL/dDO3tNB9k82OJRQaHL2bv4VbHqPs/oumlqWx/4+0eqTYIIoxT8qpl27 HfJ8eugfIvETMMIX64c/f/lvlcEB+mVpT4naHZDECnYby1d0ImYG0vzTWINnm/wmjHVO smmwDcStmduLLYDxnq0KV8XhawvO4WyeYc4krJJ3kr3tUbbYR7jDGDlfh6JROWozvqvx RPCA== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20251104; t=1779410772; x=1780015572; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:x-gm-gg:x-gm-message-state:from :to:cc:subject:date:message-id:reply-to; bh=GuMzZ0oPIB63SQlMEwBPtCu4kk4sfKKOYS1JICO/Nwc=; b=AulkBa5M4ZG7GCfqSNvUP/ofRqx0r1YYXjSNecTmwK1FEhg32sg9ZU374hy9WYrVQt lggtA3Bpqv14d/sS+uWjp8jIYN2D8g9cxr4SnYn6a1skrfnvnGvXUky0E8P8+Uk7Wd6e ohwpoO+Z2FIK8UYuTFxXjuMibrHt2x3K6P5wonICNt6gsp7l9bSy9nexDSEW9g8MHFlM zQR8+OdGXQYSBDihqXwkxIDo0d56jhr7hJ+F9vUqoZV2Jg6+ZjMW6d7wJeKruUv6DFBP 7CDYaDsB4oNLHkz+yYHTrm2FIvHAJkeYy9z9O4ZrYEHecQIszvwXJ+/4pyCgiwzcPDm/ ZJcQ== X-Forwarded-Encrypted: i=1; AFNElJ/14wrLko9xk2uYO4/37eW5yJEhtxhnvgBhWBkhJUu/SeRVRrZ0djIHfzQN6dM5+35EDIk67aiZt15st8w=@vger.kernel.org X-Gm-Message-State: AOJu0YyYc1IOAWCjWsr95E5CIka6SL0E7sYIJ56H/EhVfX4WeIbIY3AD FLpxiQFZjmb5Jz/UUAkOgyd8DLeaoDjph+rgEoA0s9+voZJLgf2h0cMwO9QK1A3JRvA= X-Gm-Gg: Acq92OGKISCXcyvq7auHICG+clYx3MvTlHor/5CG0rku1VmpZBYCDsDl3Y66qF+y7j4 ffaPGREbSI4iMQVNFIgkSmH0zTsVuQfMSgkL9hHn4I+k1Ht9K4P/QazLtJPAHQ1bKvjHK0P9UrJ mliKv0X6wN7ffur4MoKF75Zr79ze2HXZbr4KLUjwc9V/IvHNHqUAsTdrfTe2gA/xDFlGzNg17iV RQG1b4n2tRbDszMZ2aTAXGTEHr9+VFR7iZMoVD1GYXKbz3i10ZkriaQBBxvNOpI+1mRzKeSECL3 oIVI3471QOgKWh9UH4/aNnQ3Jmp3V3vs3HarA6itU9u+sFdMHgP4jIwwhesSD4sSsXNXuGDRXiN sXnI4RrYxePHk10FzE2kk0crZXTCmuowqFiZnvlGosLKF1RX/q3eRY1MYnQHgsMHmgtRtcWLdu5 2OecOEIFGi2KRxCdifB8oYWWsPZOGpJ/LVrNReIzuY8ephH0dmbPLxD09UFs5tMCKst+wdmau+q Y8S4nJZsgjg/CVhwN9BbIQZkI1cHW5e2qIglwfG52IrznIi3kgbAlKVdvEhCmkG2HFNYzrYns/e pysmXt3vcAwcQZfJtIzeMc3oZJLA X-Received: by 2002:a05:6402:4495:b0:672:bdaa:3e75 with SMTP id 4fb4d7f45d1cf-6889c432190mr513119a12.9.1779410771911; Thu, 21 May 2026 17:46:11 -0700 (PDT) Received: from ahossu.localdomain (ip-217-105-56-94.ip.prioritytelecom.net. [217.105.56.94]) by smtp.gmail.com with ESMTPSA id 4fb4d7f45d1cf-688b72cbbf3sm3535a12.0.2026.05.21.17.46.08 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Thu, 21 May 2026 17:46:10 -0700 (PDT) From: Alexandru Hossu To: gregkh@linuxfoundation.org Cc: linux-staging@lists.linux.dev, linux-kernel@vger.kernel.org, luka.gejak@linux.dev, Alexandru Hossu , stable@vger.kernel.org Subject: [PATCH v7 2/7] staging: rtl8723bs: fix OOB reads in IE loops in issue_assocreq() and join_cmd_hdl() Date: Fri, 22 May 2026 02:45:26 +0200 Message-ID: <20260522004531.1038924-3-hossu.alexandru@gmail.com> X-Mailer: git-send-email 2.54.0 In-Reply-To: <20260522004531.1038924-1-hossu.alexandru@gmail.com> References: <20260521130330.754181-1-hossu.alexandru@gmail.com> <20260522004531.1038924-1-hossu.alexandru@gmail.com> Precedence: bulk X-Mailing-List: linux-kernel@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 Content-Transfer-Encoding: quoted-printable Content-Type: text/plain; charset="utf-8" Two IE parsing loops are missing the header bounds checks before they dereference pIE->length: - issue_assocreq() walks pmlmeinfo->network.ies to build the association request. If the stored IE data ends with only an element_id byte and no length byte, pIE->length is read one byte past the end of the buffer. - join_cmd_hdl() walks pnetwork->ies during station join and has the same problem under the same conditions. Both buffers are filled from AP beacon and probe-response frames, so a malicious AP that sends a truncated final IE can trigger the issue. Apply the two-guard pattern established in update_beacon_info(): 1. Break if fewer than sizeof(*pIE) bytes remain. 2. Break if the IE's declared data extends past the buffer end. Fixes: 554c0a3abf21 ("staging: Add rtl8723bs sdio wifi driver") Cc: stable@vger.kernel.org Reviewed-by: Luka Gejak Signed-off-by: Alexandru Hossu --- drivers/staging/rtl8723bs/core/rtw_mlme_ext.c | 8 ++++++++ 1 file changed, 8 insertions(+) diff --git a/drivers/staging/rtl8723bs/core/rtw_mlme_ext.c b/drivers/stagin= g/rtl8723bs/core/rtw_mlme_ext.c index 884cd39ec756..c646dc2a1741 100644 --- a/drivers/staging/rtl8723bs/core/rtw_mlme_ext.c +++ b/drivers/staging/rtl8723bs/core/rtw_mlme_ext.c @@ -2931,7 +2931,11 @@ void issue_assocreq(struct adapter *padapter) =20 /* vendor specific IE, such as WPA, WMM, WPS */ for (i =3D sizeof(struct ndis_802_11_fix_ie); i < pmlmeinfo->network.ie_l= ength;) { + if (i + sizeof(*pIE) > pmlmeinfo->network.ie_length) + break; pIE =3D (struct ndis_80211_var_ie *)(pmlmeinfo->network.ies + i); + if (i + sizeof(*pIE) + pIE->length > pmlmeinfo->network.ie_length) + break; =20 switch (pIE->element_id) { case WLAN_EID_VENDOR_SPECIFIC: @@ -5324,7 +5328,11 @@ u8 join_cmd_hdl(struct adapter *padapter, u8 *pbuf) =20 /* sizeof(struct ndis_802_11_fix_ie) */ for (i =3D _FIXED_IE_LENGTH_; i < pnetwork->ie_length;) { + if (i + sizeof(*pIE) > pnetwork->ie_length) + break; pIE =3D (struct ndis_80211_var_ie *)(pnetwork->ies + i); + if (i + sizeof(*pIE) + pIE->length > pnetwork->ie_length) + break; =20 switch (pIE->element_id) { case WLAN_EID_VENDOR_SPECIFIC:/* Get WMM IE. */ --=20 2.54.0 From nobody Sun May 24 19:34:45 2026 Received: from mail-ed1-f43.google.com (mail-ed1-f43.google.com [209.85.208.43]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id 2B341298CA3 for ; Fri, 22 May 2026 00:46:17 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=209.85.208.43 ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1779410778; cv=none; b=Bhnc0EbeHw9cxzYRMtIpHOdoaQlDw0W+UGlh6QOJ54zywOtB/2Bf5vjPzOGEScNthUDDWVktl2LrqLa54CS80UKHNbI8haZxp0GxAyygO7X6n+zaT168148x9PauqpqXOZLB7miTFiIjdfg6uAfzRFpz/SXF2ZYEtS5WgYQ8W9I= ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1779410778; c=relaxed/simple; bh=yUxFQRX3bCKLw0bbag7Nni+E3AhTdqJzZfswOngAcC8=; h=From:To:Cc:Subject:Date:Message-ID:In-Reply-To:References: MIME-Version; b=NL+9+7DXxv4O0UyfLyPYybeElz07+diyMrae3kYfcA4hbToUPGO98AnYGPUNGsYF/m58h/SC4AKv/YhsAP9K9NuhL3ZDhFbsxU3rPlbN8qgV6cc8q7uLQKkZnor5KYK73xePybp/Es4h6ZG1p/LsLF/ESfnRHiYEs6XiKMyvEmw= ARC-Authentication-Results: i=1; smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=gmail.com; spf=pass smtp.mailfrom=gmail.com; dkim=pass (2048-bit key) header.d=gmail.com header.i=@gmail.com header.b=SAVaMJwW; arc=none smtp.client-ip=209.85.208.43 Authentication-Results: smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=gmail.com Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=gmail.com Authentication-Results: smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=gmail.com header.i=@gmail.com header.b="SAVaMJwW" Received: by mail-ed1-f43.google.com with SMTP id 4fb4d7f45d1cf-67b32c695efso14171586a12.1 for ; Thu, 21 May 2026 17:46:17 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20251104; t=1779410776; x=1780015576; darn=vger.kernel.org; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:from:to:cc:subject:date :message-id:reply-to; bh=GB1lAvDGjs+DHw89Q6x35AxewQHrMJlNyOlZUD/w82c=; b=SAVaMJwWIS8c3oAkYVxzI2s1pqIWQ1YN+i5zE8qwfoENQm6wVx7hXmKU4NBHtKnG3I pFeaYs2Lf2oK/GyImwo1pTsn+lF9SOYUMugu+NfZF0wuUSG1m2LxwEYbAXaPLfdMDL+z moSQ3RXTRExIB1/GiuOyKm7qmL7L64+Q2iYyrBT9q+LXXdAFcSOJqnTP/6MlSwRiLThr l//PfUoraWOQJw4kK7a+jfCm3/78fW8gTBhZfdpCxXii6VfMfSVYGqBzu6XRciVv09dT FFNLecoKsaOD6IHtvZVN/pAtF5Q5LNyC9KKKAvtvKYnWdn5zyS95W55BoeFJdFQ7mryA YFSQ== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20251104; t=1779410776; x=1780015576; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:x-gm-gg:x-gm-message-state:from :to:cc:subject:date:message-id:reply-to; bh=GB1lAvDGjs+DHw89Q6x35AxewQHrMJlNyOlZUD/w82c=; b=XAoHNTFB5GFYp2Ls+2MWKDFJ4VBPlTrVPdxiZsN8M3YmXoBFbRLSXniFCmS446gxrG H8SQXFuk1L8ozzCgtIAsAv37Rebzd5qpNm8Xt6q1+XBG27EwPAUpCcWD0so3yWgr/9ML achwOJ2OdPqBQCzq+isr2sgdSuLSang62oj9kvMXP0qtj0GsL4HXsHxhqpBAOsP9i5tF jKKBoJplT/DC9lEU5Wby14aISlxAB/VZf/R0UZZO7DYI1JfoUOjHT9FfRDOyaQKHiZg3 KA47HiIN4lQObj4hefDf71/zFj6MAMwdle0PUcHWAXfWWZ+l2IOpIlxq9glFQVCvzd8l b5iA== X-Forwarded-Encrypted: i=1; AFNElJ+P44AD7r9SU3MmteQRsDrEkmLWDdvq94uogUZLjW98hd0EX0zhlCOiIKz5mZBSmXrbuepcnqGDQ3x2NPo=@vger.kernel.org X-Gm-Message-State: AOJu0YwJpSgIGb1vLY2UngZKhr2L3ol/bB711OLyH1wicLiQOyVPeqU5 AJpWL9bD787lOzrJiBpHSbVfQv0AA33AsyQpkWpPOFDIki6XVlN1irFJ X-Gm-Gg: Acq92OHddFcP7KaxGjWxQ6dSk4Y3u6elVWaaKS2ziy+grxPw+CEDZ3ozWCQ5n5ekWEh jD7ZkKPyoxBBL2e3Sj4oFKjPK9cDJX8wymBxsA5mfEBTomDGe4zV7T4acyGTXWyMxyRYTLYObFm JQY8LEfYmqHjWLavvSgvpTO1+qg14/KKi3SgEPd3r9pNR49IFjRit6WJ5iy99cvan2VgdYsP+et M14PTXU++4YLZBgucPCLdk+H1RTw6goBaaxiWtTGwZqmTucH1OMTfpo0V2SEvTAQMF0RK9JW7Ce Kjl81ARy+xkXosJeSVsYucquXFPK7hdRis7+hLO7/wKcR6zfDc3RwXJ+C7Qj2Q6sfv4eKYVrhdZ JlX2AnCNJBGpsLvl+R/MHoJyAuP44eigHZoix5tcDj5WZK9VnMkGWcUkhmm8bv3CiJR1SKC+XcU WTbBqqvB3VFhu1px4u3Oj8ib9pueP1Ka6U7rky6ZDhQNt/cpYFQbsB7CR4e8VSB3horT3U9zkMA RRCZgN+i9SKIQVgr1Xme7arEwhC3kIKzBzjipM1Ck7bUJ9FOpLQw+NBDkYi5og1fyCui0y20LlM OLQJdAZUbEuIfJ6wX9Wtfnc1d3Ik X-Received: by 2002:a50:ee08:0:b0:671:9dec:ba3 with SMTP id 4fb4d7f45d1cf-6882efedec4mr1462732a12.13.1779410775672; Thu, 21 May 2026 17:46:15 -0700 (PDT) Received: from ahossu.localdomain (ip-217-105-56-94.ip.prioritytelecom.net. [217.105.56.94]) by smtp.gmail.com with ESMTPSA id 4fb4d7f45d1cf-688b72cbbf3sm3535a12.0.2026.05.21.17.46.11 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Thu, 21 May 2026 17:46:13 -0700 (PDT) From: Alexandru Hossu To: gregkh@linuxfoundation.org Cc: linux-staging@lists.linux.dev, linux-kernel@vger.kernel.org, luka.gejak@linux.dev, Alexandru Hossu , stable@vger.kernel.org Subject: [PATCH v7 3/7] staging: rtl8723bs: fix heap buffer overflow in rtw_cfg80211_set_wpa_ie() Date: Fri, 22 May 2026 02:45:27 +0200 Message-ID: <20260522004531.1038924-4-hossu.alexandru@gmail.com> X-Mailer: git-send-email 2.54.0 In-Reply-To: <20260522004531.1038924-1-hossu.alexandru@gmail.com> References: <20260521130330.754181-1-hossu.alexandru@gmail.com> <20260522004531.1038924-1-hossu.alexandru@gmail.com> Precedence: bulk X-Mailing-List: linux-kernel@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 Content-Transfer-Encoding: quoted-printable Content-Type: text/plain; charset="utf-8" supplicant_ie is a 256-byte array in struct security_priv. The WPA and WPA2 IE copy paths use: memcpy(padapter->securitypriv.supplicant_ie, &pwpa[0], wpa_ielen + 2); where wpa_ielen is the raw IE length field (u8, 0-255). When a local user supplies a connect request via nl80211 with a crafted WPA IE of length 255, wpa_ielen + 2 equals 257, overflowing the 256-byte buffer by one byte into the adjacent last_mic_err_time field. rtw_parse_wpa_ie() does not prevent this: its length consistency check compares *(wpa_ie+1) against (u8)(wpa_ie_len-2), which is (u8)(255) =3D=3D = 255 when wpa_ie_len =3D 257, so the check passes silently. Add explicit bounds checks for both the WPA and WPA2 paths before the memcpy, rejecting any IE whose total size (wpa_ielen + 2) exceeds the supplicant_ie buffer. Fixes: 554c0a3abf21 ("staging: Add rtl8723bs sdio wifi driver") Cc: stable@vger.kernel.org Reviewed-by: Luka Gejak Signed-off-by: Alexandru Hossu --- drivers/staging/rtl8723bs/os_dep/ioctl_cfg80211.c | 8 ++++++++ 1 file changed, 8 insertions(+) diff --git a/drivers/staging/rtl8723bs/os_dep/ioctl_cfg80211.c b/drivers/st= aging/rtl8723bs/os_dep/ioctl_cfg80211.c index 098456e97c96..3d930d9af184 100644 --- a/drivers/staging/rtl8723bs/os_dep/ioctl_cfg80211.c +++ b/drivers/staging/rtl8723bs/os_dep/ioctl_cfg80211.c @@ -1443,6 +1443,10 @@ static int rtw_cfg80211_set_wpa_ie(struct adapter *p= adapter, u8 *pie, size_t iel =20 pwpa =3D rtw_get_wpa_ie(buf, &wpa_ielen, ielen); if (pwpa && wpa_ielen > 0) { + if (wpa_ielen + 2 > sizeof(padapter->securitypriv.supplicant_ie)) { + ret =3D -EINVAL; + goto exit; + } if (rtw_parse_wpa_ie(pwpa, wpa_ielen + 2, &group_cipher, &pairwise_ciphe= r, NULL) =3D=3D _SUCCESS) { padapter->securitypriv.dot11AuthAlgrthm =3D dot11AuthAlgrthm_8021X; padapter->securitypriv.ndisauthtype =3D Ndis802_11AuthModeWPAPSK; @@ -1452,6 +1456,10 @@ static int rtw_cfg80211_set_wpa_ie(struct adapter *p= adapter, u8 *pie, size_t iel =20 pwpa2 =3D rtw_get_wpa2_ie(buf, &wpa2_ielen, ielen); if (pwpa2 && wpa2_ielen > 0) { + if (wpa2_ielen + 2 > sizeof(padapter->securitypriv.supplicant_ie)) { + ret =3D -EINVAL; + goto exit; + } if (rtw_parse_wpa2_ie(pwpa2, wpa2_ielen + 2, &group_cipher, &pairwise_ci= pher, NULL) =3D=3D _SUCCESS) { padapter->securitypriv.dot11AuthAlgrthm =3D dot11AuthAlgrthm_8021X; padapter->securitypriv.ndisauthtype =3D Ndis802_11AuthModeWPA2PSK; --=20 2.54.0 From nobody Sun May 24 19:34:45 2026 Received: from mail-ed1-f47.google.com (mail-ed1-f47.google.com [209.85.208.47]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id 66B9E288C96 for ; Fri, 22 May 2026 00:46:20 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=209.85.208.47 ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1779410782; cv=none; b=l0VAaCgGveHS5URzCU3XFSR58bdLQ34pNe9dmMmvOSkhDbhWs7lIU6k0z5uTOYoIFUsxnv/W6XqR50v29RFkVz3oNy3Pq6sVR+SBBudF1I4WIF/wzhI1AqN/fsB2373dtwjIwvso3uayzz1ElfmepiwcyzdGi1U4k32Y03vb9J8= ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1779410782; c=relaxed/simple; bh=11XpadIVbnWDgGbnLsDIYuVi8q6V/iekBQR9d9ytC84=; h=From:To:Cc:Subject:Date:Message-ID:In-Reply-To:References: MIME-Version; b=PBuPzjdYnkbR+SmmeoiH5DmYl/tmRtgxjVIyaRxJ8m70bJBxK2317IM6Rl0m7a6dCx8kThOvQQXzgBlamffcpuYYmrzBuXJOtBYbr3ju+vui1/y0Z1mxBMNvrvJQhEI/r3H74ImCZjLgfCjrHEGsl4//9awvFJUxLNuGpHIegmM= ARC-Authentication-Results: i=1; smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=gmail.com; spf=pass smtp.mailfrom=gmail.com; dkim=pass (2048-bit key) header.d=gmail.com header.i=@gmail.com header.b=kaFU/UeB; arc=none smtp.client-ip=209.85.208.47 Authentication-Results: smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=gmail.com Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=gmail.com Authentication-Results: smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=gmail.com header.i=@gmail.com header.b="kaFU/UeB" Received: by mail-ed1-f47.google.com with SMTP id 4fb4d7f45d1cf-6870ad8072eso1666309a12.0 for ; Thu, 21 May 2026 17:46:20 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20251104; t=1779410779; x=1780015579; darn=vger.kernel.org; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:from:to:cc:subject:date :message-id:reply-to; bh=MMhZs4Eu6gRgBabm++8DBCSAa+Wm8K3ZfuFNhzHSur8=; b=kaFU/UeBlIss72GXiYaegATgs/Oc7Yezh60PQPfKv3fNgmkRB4u7DgYZ/mZpmN5vio l6+yXwa7yll2A84LR0SMs0wwcHL0WbH3YGK44xyKHQAu0RUr5cTvSYt2m+pZHkQRnoH2 zkI6e4bGm5QFPkmlW4eGLOah7SXpzHE2sQpHmzrYpDWtW1DkCJPL5RDmK1ShWJZreMuU 7FtnrGMwa2fV7S0cnsW3DogbAK2gAwZiccgttSbAwu+yMMW/c2hHipFGGlZR6tdq3Xfv mdd2Wd1mafZk3rcYqajevsR2/k2K7/nwpY7eGb03NhtrZuAOSaVK6V7UPzLK26TbChMr rmeQ== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20251104; t=1779410779; x=1780015579; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:x-gm-gg:x-gm-message-state:from :to:cc:subject:date:message-id:reply-to; bh=MMhZs4Eu6gRgBabm++8DBCSAa+Wm8K3ZfuFNhzHSur8=; b=bisKbrLCMgsqYMEeDXgnRjH893tErx+fmONUI2s4v3tTZ2rzmyexukTr9ZinWi+fKM T5CZOMS1+ChWFwbq+AZLiu7+1oPDGoUVm8xw6x00N/4mwxMK+L6hsIzJDgqaQcbDsqm8 1KFNujHWp5lytLxoXaAPnG3QVYgvNd19qHz/JVDVp8Aqd0HZnmBbnl+vqlLgaa9PkPWQ tQNsGtIreXdNAy89e6buogPei21qGRPf74zqXzHwxnYEl/fl55y61NOZ7+/eR8lX/uz4 p15CQdugT4i/oWxbmBGmbaNEStoJDi0hhE2TxNIOhFv4y0tD4weQ0O8H5XG2gL2L3Ndu QxVg== X-Forwarded-Encrypted: i=1; AFNElJ8y2vT+bOzOw75McSYscRPDhhsimC6eI0Hz6092Wayd83pbrPuGdc5v2t1PUQl4C1MkEjKoSGPCPmuTBLE=@vger.kernel.org X-Gm-Message-State: AOJu0Yw1ogWeAC7rRVGCy4nA5Bo5jdR5HJMqb9J89NJH8rQjXN1gDN96 tahk5y3WLiW0rbFXQ6GU8sgxmExH1lgk9NYLlBiUb1hoymSOFx7brAYU X-Gm-Gg: Acq92OGjaKldCtpkxpSbjHDTRcm7P8Y7aBnnFztloyV4lCI4pJTYcXhntnNxc5AEQoL V+mMcILoDlm9IjTU7oPkUD0T8yL2z9ZW00k/Myr8DD1jfViZUrzRmCA+RhskJNY6n2y2IISwWGw IpP3+Me8qEjGv3QLGeAfWfKHd3e4cLn56NdZkU/aNAX52G7FOUwsNQiBDrhfL9lZsmJ43AQyGwc LRP+fEXsgDiPPnxiIYqdD4OF1o2fIXJReCHXxlhLW8DmZQeYR2/W2uCL7Ne26HilOqp7MIP+Cqc G3V5M6RustEVt2RMaWwcSa3pRFB0fPgiNxa6/PPqQ43p/cA7M3ya/5j3+yFbDD0cidN8fpVYqrb 6901pjxwyh5xQP3XUZvHVyo6yeo86ujTfztYpJbLZ1ncTfnTpysWii1XA4sPbH6iRV8nnWj6SjQ luIi+u3BR/MhT1LqPMBstOurYoDI2ftYS5GaWTxM+XZmPfwz29WlKYVK5RaO350cEFgYkfhqHPG 2YMAo6TlfXEbz7qIZ4T+w8h4MmBlX4X5nmd0tfbTZfRPSAfareggmYhdVb+MXr2WVmsg/r3xq8X q/BsxZ7PQ+3qQi6ojhewMAILO/7HsZpmr22L2LI= X-Received: by 2002:a05:6402:510e:b0:682:c363:d96f with SMTP id 4fb4d7f45d1cf-6889c44e129mr462567a12.10.1779410778851; Thu, 21 May 2026 17:46:18 -0700 (PDT) Received: from ahossu.localdomain (ip-217-105-56-94.ip.prioritytelecom.net. [217.105.56.94]) by smtp.gmail.com with ESMTPSA id 4fb4d7f45d1cf-688b72cbbf3sm3535a12.0.2026.05.21.17.46.15 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Thu, 21 May 2026 17:46:17 -0700 (PDT) From: Alexandru Hossu To: gregkh@linuxfoundation.org Cc: linux-staging@lists.linux.dev, linux-kernel@vger.kernel.org, luka.gejak@linux.dev, Alexandru Hossu , stable@vger.kernel.org Subject: [PATCH v7 4/7] staging: rtl8723bs: fix OOB write in HT_caps_handler() Date: Fri, 22 May 2026 02:45:28 +0200 Message-ID: <20260522004531.1038924-5-hossu.alexandru@gmail.com> X-Mailer: git-send-email 2.54.0 In-Reply-To: <20260522004531.1038924-1-hossu.alexandru@gmail.com> References: <20260521130330.754181-1-hossu.alexandru@gmail.com> <20260522004531.1038924-1-hossu.alexandru@gmail.com> Precedence: bulk X-Mailing-List: linux-kernel@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 Content-Transfer-Encoding: quoted-printable Content-Type: text/plain; charset="utf-8" HT_caps_handler() iterates pIE->length bytes and writes into HT_caps.u.HT_cap[], which is a fixed 26-byte array (sizeof struct HT_caps_element). Because pIE->length is a raw u8 from an over-the-air 802.11 AssocResponse frame and is never validated, a malicious AP can set it up to 255, causing up to 229 bytes of out-of-bounds writes into adjacent fields of struct mlme_ext_info. Truncate the iteration count to the size of HT_caps.u.HT_cap using umin() so that data from a longer-than-expected IE is silently ignored rather than written out of bounds, preserving interoperability with APs that pad the element. An early return on oversized IEs was considered but rejected: it would bypass the pmlmeinfo->HT_caps_enable =3D 1 assignment that precedes the loop, silently disabling HT mode for APs that append extra bytes to the HT Capabilities IE. Fixes: 554c0a3abf21 ("staging: Add rtl8723bs sdio wifi driver") Cc: stable@vger.kernel.org Signed-off-by: Alexandru Hossu --- drivers/staging/rtl8723bs/core/rtw_wlan_util.c | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/drivers/staging/rtl8723bs/core/rtw_wlan_util.c b/drivers/stagi= ng/rtl8723bs/core/rtw_wlan_util.c index e0d73c267786..dd34f229df12 100644 --- a/drivers/staging/rtl8723bs/core/rtw_wlan_util.c +++ b/drivers/staging/rtl8723bs/core/rtw_wlan_util.c @@ -936,7 +936,8 @@ void HT_caps_handler(struct adapter *padapter, struct n= dis_80211_var_ie *pIE) =20 pmlmeinfo->HT_caps_enable =3D 1; =20 - for (i =3D 0; i < (pIE->length); i++) { + for (i =3D 0; i < umin(pIE->length, + sizeof(pmlmeinfo->HT_caps.u.HT_cap)); i++) { if (i !=3D 2) { /* Commented by Albert 2010/07/12 */ /* Got the endian issue here. */ --=20 2.54.0 From nobody Sun May 24 19:34:45 2026 Received: from mail-ed1-f49.google.com (mail-ed1-f49.google.com [209.85.208.49]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id 48689283FE6 for ; Fri, 22 May 2026 00:46:23 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=209.85.208.49 ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1779410784; cv=none; b=SoQPcc5XKjbZ/8zSamYt3Lr23utfqnCyNog0yyPlnB3k1+wSX+muTVFx8rtSPOur28pXuxE85JWYAia8GreiQitWhe+rJMCpV06PEioPKhQQht8sCEI9sExU3YMsRJ9W1gC69kzYk5LORHJlkkRkVZsBSeoXqYbLKWfXW9+8u5E= ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1779410784; c=relaxed/simple; bh=9A4jVnzDv/usUlFeq3EuOnxuhB9rRPwyxJzmHvtAJ74=; h=From:To:Cc:Subject:Date:Message-ID:In-Reply-To:References: MIME-Version; b=BAtekdXnlxqlOUvhzA7emSK9eHphuNQs6WS8F15rqlobH9fSgO2FXyogdNhpWXOz/fGefII83H5FjA3qfxvhRQX9ZnhfqWgOpm9YX27c0PNPdHFoBSlxlda9Sn9f7qLnGyxLG3IAPo4ENNWj7SQi4ueZN/iVnI+vGiYbS1zT7Qg= ARC-Authentication-Results: i=1; smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=gmail.com; spf=pass smtp.mailfrom=gmail.com; dkim=pass (2048-bit key) header.d=gmail.com header.i=@gmail.com header.b=Q60+lN3z; arc=none smtp.client-ip=209.85.208.49 Authentication-Results: smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=gmail.com Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=gmail.com Authentication-Results: smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=gmail.com header.i=@gmail.com header.b="Q60+lN3z" Received: by mail-ed1-f49.google.com with SMTP id 4fb4d7f45d1cf-67b32c695efso14171713a12.1 for ; Thu, 21 May 2026 17:46:23 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20251104; t=1779410782; x=1780015582; darn=vger.kernel.org; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:from:to:cc:subject:date :message-id:reply-to; bh=S4lmM74WsQVb7gsWrSGGOh3OWSwYycbJASwr5KvwFMI=; b=Q60+lN3zipYnXsA6wSIcTjYA+dpfyKVP3st61dgNRhlpdocOQkvqyvGvdjvoYurquI TnUbG0AOXDZvNLVhDgEBYqf7R9EgQ1lTPbjkB0pO+KPB6ysNaipx6ZYnyVnKCOhf8xxU 8TxwCawTb/aRyruWB+KRB+eFqY1M7Jru7r3q3u6sWSau7ON0ywaj9AY5UXUY2b50vhLw u6qu/nzkcki5h77uhm9uNmW4kl4RH28f07z7AKYnuaLEBYDdlkMh3fVWGE/MD4lz7XJv 934SS94nQmG/WciFO662t2tkMcz0A1zUFhj1p/94oKUTubaRaqDMbl0CfGfenBjiqegJ QnPA== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20251104; t=1779410782; x=1780015582; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:x-gm-gg:x-gm-message-state:from :to:cc:subject:date:message-id:reply-to; bh=S4lmM74WsQVb7gsWrSGGOh3OWSwYycbJASwr5KvwFMI=; b=MnbiRBGBOcB50R/NPIQyj8rTFlVnqW59nOjHZK7uTBGiaHwpzW37uYzqGsxkpaQpEp PjTm8FRwmAmpbvEcXAX9gGg9jXMchUALdOu8XY0g6nBV207yIvCbUtqc8WfIu09mwQIH 5LN57ntMUAUvynb1fnZLCbeRps2lZAbUWuvdyOWw2ovswSpQsG08SFv5L4YgHZd+bW4Q QntkB/ems3u8xXtiE6Rq5twoE1oZBiGX7hu89uclNtnwVzUU7WuYs+rv7EhHLrkDn8hG lGQHSoTyoFTwSmTe4rTbekhmhTjQ+hGfr2BklermNVLj7jmLZGg08gIfYPIkCvckzFTx 35cw== X-Forwarded-Encrypted: i=1; AFNElJ9PqujYHUZ7c2WsARl2gRBtdyge+h8mtsIMuaCbWBinCHTmc4KF/J7uPzIMvk3fKJmPyLJnQwaayzy6xTo=@vger.kernel.org X-Gm-Message-State: AOJu0YwA/s5AKBTitfflrKK9sFvDGiUPDWLdejG50OEu1zvmplsALVV/ p/GyXLpy1o7C8eQLTdfapUwnS0aWrpPhd8sEMiW1GG57pmiWAI3gQ7iR X-Gm-Gg: Acq92OHkJ/Hs6VU1bTogqsTAgLnH9o2yqiIBpZI/lufiX6CPektznoiTBkEoyRpJ0Uu luWA4RgKp0po8ziN1dRC862TqSCXFGHCxn5xf1/HXSAZ85HpnJ7LesBC7a5JJWsypnHeTX1ZpVK KtFzX6Str26HEHCrqJCxhhJwTnH6lWNt08LHmKONOgyIXuCGiIPF3/GXZIXBbthl8j9SI0kTBeh rkq8rAVVrmKmr3sufHJiwikELrB7x0G6qhNq1JHcIAkrpYC9kbFLx/sBI7OOixxWn5Z9qGE0GiJ lDgu6oFKlrcExNdyjAbQru8ZqLq8CNp7Hc2OLY+Qx9M7qDOjxEyX6Q5nigq8YdxKgHRa7YAgpp8 Ia+976yii8rqRG4kw9W6V7iL+FuI4EpvYd+jXKsGplMcE2VgpPgZKMLLNeXOGoyapxJfyDlj7gT CqMDdcmURNDByulkbLwb1360hVj8nBf98vLAvb7mJaTriYL05L5T2kSKuBjs5cuCMUeozwmckAL Z9h95zRIcJ+NP09xK71VaQ7OCUMlmtigqow59ja9nPLIa4k21xTLPXemKGLdIQagvqhcKTXae4l WMP27tRjNEsR27rWHYu9ssG7dr3l X-Received: by 2002:a05:6402:3594:b0:676:e619:2be0 with SMTP id 4fb4d7f45d1cf-6889c44e2a0mr484221a12.8.1779410781772; Thu, 21 May 2026 17:46:21 -0700 (PDT) Received: from ahossu.localdomain (ip-217-105-56-94.ip.prioritytelecom.net. [217.105.56.94]) by smtp.gmail.com with ESMTPSA id 4fb4d7f45d1cf-688b72cbbf3sm3535a12.0.2026.05.21.17.46.18 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Thu, 21 May 2026 17:46:20 -0700 (PDT) From: Alexandru Hossu To: gregkh@linuxfoundation.org Cc: linux-staging@lists.linux.dev, linux-kernel@vger.kernel.org, luka.gejak@linux.dev, Alexandru Hossu , stable@vger.kernel.org Subject: [PATCH v7 5/7] staging: rtl8723bs: fix OOB read in OnAssocRsp() IE loop Date: Fri, 22 May 2026 02:45:29 +0200 Message-ID: <20260522004531.1038924-6-hossu.alexandru@gmail.com> X-Mailer: git-send-email 2.54.0 In-Reply-To: <20260522004531.1038924-1-hossu.alexandru@gmail.com> References: <20260521130330.754181-1-hossu.alexandru@gmail.com> <20260522004531.1038924-1-hossu.alexandru@gmail.com> Precedence: bulk X-Mailing-List: linux-kernel@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 Content-Transfer-Encoding: quoted-printable Content-Type: text/plain; charset="utf-8" The IE parsing loop in OnAssocRsp() advances by (pIE->length + 2) each iteration but only guards on i < pkt_len. When a malicious AP sends an AssocResponse whose last IE has only one byte remaining in the frame (the element_id byte lands at pkt_len-1), the loop reads pIE->length from pframe[pkt_len], which is one byte past the allocated receive buffer. Additionally, even when the header bytes are in bounds, pIE->length itself can extend the data window beyond pkt_len, silently passing a truncated IE to the handler functions. Add two guards at the top of the loop body: 1. Break if fewer than sizeof(*pIE) bytes remain (can't read header). 2. Break if the IE's declared data extends past pkt_len. Fixes: 554c0a3abf21 ("staging: Add rtl8723bs sdio wifi driver") Cc: stable@vger.kernel.org Signed-off-by: Alexandru Hossu --- drivers/staging/rtl8723bs/core/rtw_mlme_ext.c | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/drivers/staging/rtl8723bs/core/rtw_mlme_ext.c b/drivers/stagin= g/rtl8723bs/core/rtw_mlme_ext.c index c646dc2a1741..68ce422305ed 100644 --- a/drivers/staging/rtl8723bs/core/rtw_mlme_ext.c +++ b/drivers/staging/rtl8723bs/core/rtw_mlme_ext.c @@ -1406,7 +1406,11 @@ unsigned int OnAssocRsp(struct adapter *padapter, un= ion recv_frame *precv_frame) /* to handle HT, WMM, rate adaptive, update MAC reg */ /* for not to handle the synchronous IO in the tasklet */ for (i =3D (6 + WLAN_HDR_A3_LEN); i < pkt_len;) { + if (i + sizeof(*pIE) > pkt_len) + break; pIE =3D (struct ndis_80211_var_ie *)(pframe + i); + if (i + sizeof(*pIE) + pIE->length > pkt_len) + break; =20 switch (pIE->element_id) { case WLAN_EID_VENDOR_SPECIFIC: --=20 2.54.0 From nobody Sun May 24 19:34:45 2026 Received: from mail-ed1-f50.google.com (mail-ed1-f50.google.com [209.85.208.50]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id 8D7FE2D6E6C for ; Fri, 22 May 2026 00:46:26 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=209.85.208.50 ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1779410788; cv=none; b=kxyGVEj1XxJfBSalEsTXtP+Ja7qDVW05GsKDQIlsiRD/+gvUfkRGLL8KzrkHG3AMejb32sgjakYdnncnFiYEhCvYi7TuQNYzkikbrBBuAWXn38yBpkMZJLvW/VTttfTvtnUI5mebRrOKGNSjVPlL8cW+QRtqRbvtE9GJ5ag+1Bw= ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1779410788; c=relaxed/simple; bh=7SsrYMKDh9rt+9N6EF+fS9nQeI4YX7vkrI18oJQsNRU=; h=From:To:Cc:Subject:Date:Message-ID:In-Reply-To:References: MIME-Version; b=HiBWREDQrpwl+S+GtjcNgxDb4mVDfX7UvtvGiHRlu3E2CD2dkomOhrAj27xp5jmfs8RRN6zX6RAdpVb+g6ubdskQlfjyvozlVfwWrmFZxRk6dzETuWlPhgevEYIZTt8VyPHkPzq+arc/bNC8kTsF/Gc3YJAYYiRS3mbwZXU0s1Q= ARC-Authentication-Results: i=1; smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=gmail.com; spf=pass smtp.mailfrom=gmail.com; dkim=pass (2048-bit key) header.d=gmail.com header.i=@gmail.com header.b=CWA1M/V4; arc=none smtp.client-ip=209.85.208.50 Authentication-Results: smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=gmail.com Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=gmail.com Authentication-Results: smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=gmail.com header.i=@gmail.com header.b="CWA1M/V4" Received: by mail-ed1-f50.google.com with SMTP id 4fb4d7f45d1cf-68707d88626so6011734a12.0 for ; Thu, 21 May 2026 17:46:26 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20251104; t=1779410785; x=1780015585; darn=vger.kernel.org; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:from:to:cc:subject:date :message-id:reply-to; bh=KMABQ2lm+8Apo5qMdLPjApIQTOzncW9oYRbW/a64Ly8=; b=CWA1M/V4FWKvEgfWoXFOZISgXOXd2+c6/MWU54tCTmcQVHmtSHaccPbbEctl6o53pZ 3Nf6yQKBahY0dW9Pbwm0mYF5GEyGQNxrSL77KCp30dNStJcv1oyTo39iMT2dSbP0MhEv sVrU1aYhZ4AS4pEWmVViUmeIEZI63pcIz+A6Dcl4b9RtYrO1kK3wODIHXqVY5tf06HPT 38ygonnZUR0+RnAzurgbI0QdCZrc8NLBnHWS9mXCaDMh76d3i+E5aOWbrEHecOqBndbw VBoOkTnRykfWVU9Jnuj0yCv3+4lD5EwoxtFVhPotY7SyOxGit5bWc3FrzFcDrnxh8V0l +uSw== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20251104; t=1779410785; x=1780015585; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:x-gm-gg:x-gm-message-state:from :to:cc:subject:date:message-id:reply-to; bh=KMABQ2lm+8Apo5qMdLPjApIQTOzncW9oYRbW/a64Ly8=; b=XMFl3gw9XB9Sa1wqr4miyx8q8ba3qhFwa09yX4+DqkRdpjmEiBjqoSJFZ1YR82Hd+U k49CVla9uTr/p8KtBRiL19H8n4ICnDKN/R6mkWBbgHnKnfzyqwdGumH/nI0a9NkrfnO/ 5UbjlCgUy8rj0mbC7CL++nsvav+46ivRiSV+VBgyURO1WVEc80d9wFjerbZeK9yzQYRI 4O7Ba3/oG5Wi+q797eMLuI8PyEqvn9ODKvL8vpSuRcUCoWvLVSnTL+64X4WknM7fuIsq m8lvvHGXkcJfmDnRbeJdT5MQBrXFlcxOiZOyS5MH8r0yoFR6u0UCPHHnbSvyfzeaxX/U m2Yw== X-Forwarded-Encrypted: i=1; AFNElJ8cUlnk8iEHvxS90PcpuRsK2U9bAUFpK8Psx3GvkvPWiKj9ejs8vnVz4HL8RcraIMxn0GVEUECBpsR2Y+k=@vger.kernel.org X-Gm-Message-State: AOJu0YxO3hlfMWti5kwc0PN6PLEaep+Na6Cy5ow4Z3v1ull4YIzRV9zD fat5vk0HmHVNw/OBzxsiGlg6bM8649tMr7FOSno9uB1o1494w2QG8syB X-Gm-Gg: Acq92OEPsKcN1xhyqhU0rRJS0+DMhyboPlcaQCaj7x6SIrDOicYv7CIdFnue6rdsptH 01eIRaRRQg3r3Qp27N+WQ5UoXiUx5oC8nioVfyPUvsj8vVy18iTMkytWdXgACB0sd5+io/ldsQ2 vWIoQouS9/N/9jtn7+7EIa65UfaD2Ht7BRnhxmUBtdMGrMEcXXOShpEdrMg0Gx1EFG4Ec0ENUwO 3/wQAFhlr+e2KJU5noYU4Rr0R1vmRzJiEO8tqkYYviife6gZ7TwlKBxbSalOfU5clDnzTGQau6v aOpwVha0um5qThGkIAKf3nMyjKGLl+BsrPOoNtCOn4ICcG9oDKxO+GJ6lylmY/MAiWYxMV7DR12 jVyKkr8TRpK+IAVCWKaBxVd6KaE52GEM2hjQR5EWt1B3rhC73hVGWKKvw6gEhosV9+JYsLjrIaI nNSRCgkEyJWix2tnSPRd0IEDqjeQYtC3aBkgiHPNcb5Q1GdQxsdBq4SWraRC6BDY7d7xKqAfPVn O6wWhFOo1wy8BAgjpZZrGwee6yuoLNnuqNXEkDc4DZQzSB5BLLJ4VEYQE+i6lsiH3Uf2FYgvmgO xZduzkxx0Lj2qGA1J+HNbFwTz/oE X-Received: by 2002:a05:6402:43ce:b0:686:d801:96c9 with SMTP id 4fb4d7f45d1cf-6889cc374d8mr599441a12.14.1779410784990; Thu, 21 May 2026 17:46:24 -0700 (PDT) Received: from ahossu.localdomain (ip-217-105-56-94.ip.prioritytelecom.net. [217.105.56.94]) by smtp.gmail.com with ESMTPSA id 4fb4d7f45d1cf-688b72cbbf3sm3535a12.0.2026.05.21.17.46.21 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Thu, 21 May 2026 17:46:23 -0700 (PDT) From: Alexandru Hossu To: gregkh@linuxfoundation.org Cc: linux-staging@lists.linux.dev, linux-kernel@vger.kernel.org, luka.gejak@linux.dev, Alexandru Hossu , stable@vger.kernel.org Subject: [PATCH v7 6/7] staging: rtl8723bs: fix OOB reads in is_ap_in_tkip() IE loop Date: Fri, 22 May 2026 02:45:30 +0200 Message-ID: <20260522004531.1038924-7-hossu.alexandru@gmail.com> X-Mailer: git-send-email 2.54.0 In-Reply-To: <20260522004531.1038924-1-hossu.alexandru@gmail.com> References: <20260521130330.754181-1-hossu.alexandru@gmail.com> <20260522004531.1038924-1-hossu.alexandru@gmail.com> Precedence: bulk X-Mailing-List: linux-kernel@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 Content-Transfer-Encoding: quoted-printable Content-Type: text/plain; charset="utf-8" The loop in is_ap_in_tkip() iterates over IEs without verifying that enough bytes remain before dereferencing the IE header or its payload: - pIE->element_id and pIE->length are read without checking that i + sizeof(*pIE) <=3D ie_length, so a truncated IE at the end of the buffer causes an OOB read. - For WLAN_EID_VENDOR_SPECIFIC the code compares pIE->data + 12, which requires pIE->length >=3D 16. For WLAN_EID_RSN it compares pIE->data + 8, requiring pIE->length >=3D 12. Neither requirement is checked. Add the missing IE header and payload bounds checks and guard each data access with an explicit pIE->length minimum, matching the pattern established in update_beacon_info(). Fixes: 554c0a3abf21 ("staging: Add rtl8723bs sdio wifi driver") Cc: stable@vger.kernel.org Signed-off-by: Alexandru Hossu --- drivers/staging/rtl8723bs/core/rtw_wlan_util.c | 14 +++++++++++--- 1 file changed, 11 insertions(+), 3 deletions(-) diff --git a/drivers/staging/rtl8723bs/core/rtw_wlan_util.c b/drivers/stagi= ng/rtl8723bs/core/rtw_wlan_util.c index dd34f229df12..94bbe7ac13ac 100644 --- a/drivers/staging/rtl8723bs/core/rtw_wlan_util.c +++ b/drivers/staging/rtl8723bs/core/rtw_wlan_util.c @@ -1335,15 +1335,23 @@ unsigned int is_ap_in_tkip(struct adapter *padapter) for (i =3D sizeof(struct ndis_802_11_fix_ie); i < pmlmeinfo->network.ie_= length;) { pIE =3D (struct ndis_80211_var_ie *)(pmlmeinfo->network.ies + i); =20 + if (i + sizeof(*pIE) > pmlmeinfo->network.ie_length) + break; + if (i + sizeof(*pIE) + pIE->length > pmlmeinfo->network.ie_length) + break; + switch (pIE->element_id) { case WLAN_EID_VENDOR_SPECIFIC: - if ((!memcmp(pIE->data, RTW_WPA_OUI, 4)) && (!memcmp((pIE->data + 12),= WPA_TKIP_CIPHER, 4))) + if (pIE->length >=3D 16 && + !memcmp(pIE->data, RTW_WPA_OUI, 4) && + !memcmp((pIE->data + 12), WPA_TKIP_CIPHER, 4)) return true; =20 break; =20 case WLAN_EID_RSN: - if (!memcmp((pIE->data + 8), RSN_TKIP_CIPHER, 4)) + if (pIE->length >=3D 12 && + !memcmp((pIE->data + 8), RSN_TKIP_CIPHER, 4)) return true; break; =20 @@ -1351,7 +1359,7 @@ unsigned int is_ap_in_tkip(struct adapter *padapter) break; } =20 - i +=3D (pIE->length + 2); + i +=3D sizeof(*pIE) + pIE->length; } =20 return false; --=20 2.54.0 From nobody Sun May 24 19:34:45 2026 Received: from mail-ed1-f46.google.com (mail-ed1-f46.google.com [209.85.208.46]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id EAB9129AAEA for ; Fri, 22 May 2026 00:46:28 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=209.85.208.46 ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1779410790; cv=none; b=WkNGCvBA4Fy/aiUcKBiMnraIcktIigELLTF0zrsCwynZfK0R1tD6rRQuoUwfq4i0ElziOJNVYp1e46uWsNNy21LTM/fG/OCRHHBPOji1x3OXSGL2Hgho6NMkauOAkvLZioTXgsSX+p2CdBx7VIZLw6fqvKWad09dXtglk13wBiU= ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1779410790; c=relaxed/simple; bh=Y/az4SiItbIAigjIqxrH/7l1AsFAjEqLedDBBPQ3Rrw=; h=From:To:Cc:Subject:Date:Message-ID:In-Reply-To:References: MIME-Version; b=Q1A6BRmLtkfMrEXYr/1FHdqY4LPkwooYyw9XjWiZSBeF81QQE9wgH0+2jnCCCrlI2/nJncljaPifQmvsenUYhxXxeYOe98gHUdso1z2y2FwLg8oPEkPQiGxzAwdxbYgErYVz89mc0CkQC5d05bWnISohQv5K5LyAefvBR2UrrRk= ARC-Authentication-Results: i=1; smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=gmail.com; spf=pass smtp.mailfrom=gmail.com; dkim=pass (2048-bit key) header.d=gmail.com header.i=@gmail.com header.b=G9/BrFbW; arc=none smtp.client-ip=209.85.208.46 Authentication-Results: smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=gmail.com Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=gmail.com Authentication-Results: smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=gmail.com header.i=@gmail.com header.b="G9/BrFbW" Received: by mail-ed1-f46.google.com with SMTP id 4fb4d7f45d1cf-6877c719cb0so3303733a12.2 for ; Thu, 21 May 2026 17:46:28 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20251104; t=1779410787; x=1780015587; darn=vger.kernel.org; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:from:to:cc:subject:date :message-id:reply-to; bh=M7XmRtRI1sy+uE3kBDpqO1yIxY6jN1aO/VOWIPFqnmA=; b=G9/BrFbWlT2rrT2eS4Ovx/ApaMT3Mby42lgWKb3Z5CcqU2eaG1QV8EonhX7Tz7dyzg EHMCJdMdyWFCB424uJZ2/RBPJSfr5hS5cu5yOPWyhFWepRkSPALSLfBzvymNX4BbWAOx MBde14Sv0AcAzzBWASSf6CmpcPxzJmJ5uRVanQ/eEAkyp1fD9k4rghR4AXcA8oxNs/3H WprFOXqfPXzYJRBIdPMFUEFMXuZZFAYXr7TR0Yn+/Vv3KNMEfG+8fSy4x1cR5s7wAHGs lMATe6pv/4ELlZCzcfERzyQJOqcfUp9TcygGFWGuA/3RDxdIeVCASl0w0JCxjJX+iuOd b5Dw== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20251104; t=1779410787; x=1780015587; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:x-gm-gg:x-gm-message-state:from :to:cc:subject:date:message-id:reply-to; bh=M7XmRtRI1sy+uE3kBDpqO1yIxY6jN1aO/VOWIPFqnmA=; b=D6W9g8k9KQ5C0WPfsNpu+nFEy0+utlKx4IVJtvBQnhSPAorBoIgf7Uaut2NS50l7pR WNJMWLRAnS08HQC0qiUOGbEyO7vPK8YwadqQLB1lDGfufGrGY+ZKmtUhWtDbRu5yCmcI q16Ulaai5Qonj+rXV50U0ABjPCYrc6BT5QnpnaR5NbrJOzp9HLRoE0jo3P2xyalmuH28 3wv9KwFv/kmnv6gUQ/bftDeYkwtDQjqDPYbBCoy1CmO0YJjZGbjvbWihTFNIQpD2QlMl 4kg4/eNZKJTc+0JMXWOoajSUlNhH/3Jzavz6r/QTbxqnHlVLh47qAgGeQF3kk3uRG9DK Vcqg== X-Forwarded-Encrypted: i=1; AFNElJ9eN56jQQ7D4oeDMlgKKz6SyRGTdCXW87W7MU/5t644MvpPSRp8L0w3dwLaA9iwR3yJ54oQadsLcR5DFOU=@vger.kernel.org X-Gm-Message-State: AOJu0Yw8mFnGcCkUVZStYvGgp89BnPaD5iu0TjXMsdZ9pKtEvLQicROU GPNIj0DTWfuQZPJ016X3q9og22umlECAPCqWy9eS6C2+zZIqAR2rgYAl X-Gm-Gg: Acq92OGfMRFTeHepL5qfSGpcENSPP7RMgoapr2v5AN+Hc4nKGLZIXsu93kL6xJsDf/A 1ayjI/wbbpE15nFOeSRIIl1H4fmnXVpgafZxsUNG74V2yehlbkcsCHFlFrwFKfb9H2RmhralwoZ b3OGwdTiOkCGsgAJKbN9sVdCrxQ0/Qj4UcgZO7GzcZfWnwX49KBztiWa1PvZV7irnSzYQo0Y4mq OcSFgTVpFNLtyifRmhnrnGgFLPUsaPEFRwOqbm3lB4iNjktZ8MZ/surIf0e+wXff2tu//JdJqx9 m5lZhImcuPebXulssDpiCYbA3i7x+LDJWQijSdc13adiG8IsYNKJJHf2HU+Imtj6+1MsUCIqE/b dGLGKcpr+bfbFDXUQaebnLAnJJoMmME0hOzIjznlXMmxpZETEvqMNPR1nIXijmQhDZ454AlHpHo SixsiWkR0oRVduOPomoI3HamZ+h1y3jGJWiaI/SXXCJrOU8WgWj4rgNWkQ3WwTmn3UEt+1d1fvt N/ErTGYZVwzzQqlTst0Z8bpJ8e0XtxkUGTRvq870e6xj5nio5OZqQb0pEoiTLlueYNrGsJGIsaN P2VhsHOfdpEFZ4kKvKBV68HkHDUeA+UfzNy77Tw= X-Received: by 2002:a05:6402:d08:b0:678:a507:e837 with SMTP id 4fb4d7f45d1cf-6889c4080a8mr560571a12.1.1779410787257; Thu, 21 May 2026 17:46:27 -0700 (PDT) Received: from ahossu.localdomain (ip-217-105-56-94.ip.prioritytelecom.net. [217.105.56.94]) by smtp.gmail.com with ESMTPSA id 4fb4d7f45d1cf-688b72cbbf3sm3535a12.0.2026.05.21.17.46.25 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Thu, 21 May 2026 17:46:26 -0700 (PDT) From: Alexandru Hossu To: gregkh@linuxfoundation.org Cc: linux-staging@lists.linux.dev, linux-kernel@vger.kernel.org, luka.gejak@linux.dev, Alexandru Hossu , stable@vger.kernel.org Subject: [PATCH v7 7/7] staging: rtl8723bs: fix OOB reads in rtw_get_sec_ie(), rtw_get_wapi_ie(), and rtw_get_wps_attr() Date: Fri, 22 May 2026 02:45:31 +0200 Message-ID: <20260522004531.1038924-8-hossu.alexandru@gmail.com> X-Mailer: git-send-email 2.54.0 In-Reply-To: <20260522004531.1038924-1-hossu.alexandru@gmail.com> References: <20260521130330.754181-1-hossu.alexandru@gmail.com> <20260522004531.1038924-1-hossu.alexandru@gmail.com> Precedence: bulk X-Mailing-List: linux-kernel@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 Content-Transfer-Encoding: quoted-printable Content-Type: text/plain; charset="utf-8" Three IE/attribute parsing functions have missing bounds checks. rtw_get_sec_ie() and rtw_get_wapi_ie() iterate over a raw IE buffer without verifying that the header bytes (tag + length) are within the remaining buffer before reading them. Additionally, rtw_get_sec_ie() compares the 4-byte WPA OUI at cnt+2 without checking that at least 6 bytes remain, and rtw_get_wapi_ie() compares a 4-byte WAPI OUI at cnt+6 without checking that at least 10 bytes remain. rtw_get_wps_attr() reads wps_ie[0] and wps_ie+2 unconditionally at entry, before verifying that wps_ielen is large enough to contain the 6-byte WPS IE header (element_id + length + 4-byte OUI). Inside the attribute loop, get_unaligned_be16() is called on attr_ptr and attr_ptr+2 without checking that 4 bytes remain in the buffer. Add a cnt+2 bounds check before each loop body in rtw_get_sec_ie() and rtw_get_wapi_ie(), guard each multi-byte comparison with a minimum IE length requirement, add a wps_ielen < 6 early return in rtw_get_wps_attr(), and add a 4-byte bounds check in its inner loop. Fixes: 554c0a3abf21 ("staging: Add rtl8723bs sdio wifi driver") Cc: stable@vger.kernel.org Signed-off-by: Alexandru Hossu --- drivers/staging/rtl8723bs/core/rtw_ieee80211.c | 15 +++++++++++++++ 1 file changed, 15 insertions(+) diff --git a/drivers/staging/rtl8723bs/core/rtw_ieee80211.c b/drivers/stagi= ng/rtl8723bs/core/rtw_ieee80211.c index 72b7f731dd47..3c1f0068cd92 100644 --- a/drivers/staging/rtl8723bs/core/rtw_ieee80211.c +++ b/drivers/staging/rtl8723bs/core/rtw_ieee80211.c @@ -583,9 +583,14 @@ int rtw_get_wapi_ie(u8 *in_ie, uint in_len, u8 *wapi_i= e, u16 *wapi_len) cnt =3D (_TIMESTAMP_ + _BEACON_ITERVAL_ + _CAPABILITY_); =20 while (cnt < in_len) { + if (cnt + 2 > in_len) + break; + if (cnt + 2 + in_ie[cnt + 1] > in_len) + break; authmode =3D in_ie[cnt]; =20 if (authmode =3D=3D WLAN_EID_BSS_AC_ACCESS_DELAY && + in_ie[cnt + 1] >=3D 8 && (!memcmp(&in_ie[cnt + 6], wapi_oui1, 4) || !memcmp(&in_ie[cnt + 6], wapi_oui2, 4))) { if (wapi_ie) @@ -616,9 +621,14 @@ void rtw_get_sec_ie(u8 *in_ie, uint in_len, u8 *rsn_ie= , u16 *rsn_len, u8 *wpa_ie cnt =3D (_TIMESTAMP_ + _BEACON_ITERVAL_ + _CAPABILITY_); =20 while (cnt < in_len) { + if (cnt + 2 > in_len) + break; + if (cnt + 2 + in_ie[cnt + 1] > in_len) + break; authmode =3D in_ie[cnt]; =20 if ((authmode =3D=3D WLAN_EID_VENDOR_SPECIFIC) && + in_ie[cnt + 1] >=3D 4 && (!memcmp(&in_ie[cnt + 2], &wpa_oui[0], 4))) { if (wpa_ie) memcpy(wpa_ie, &in_ie[cnt], in_ie[cnt + 1] + 2); @@ -699,6 +709,9 @@ u8 *rtw_get_wps_attr(u8 *wps_ie, uint wps_ielen, u16 ta= rget_attr_id, u8 *buf_att if (len_attr) *len_attr =3D 0; =20 + if (wps_ielen < 6) + return attr_ptr; + if ((wps_ie[0] !=3D WLAN_EID_VENDOR_SPECIFIC) || (memcmp(wps_ie + 2, wps_oui, 4))) { return attr_ptr; @@ -709,6 +722,8 @@ u8 *rtw_get_wps_attr(u8 *wps_ie, uint wps_ielen, u16 ta= rget_attr_id, u8 *buf_att =20 while (attr_ptr - wps_ie < wps_ielen) { /* 4 =3D 2(Attribute ID) + 2(Length) */ + if (attr_ptr + 4 > wps_ie + wps_ielen) + break; u16 attr_id =3D get_unaligned_be16(attr_ptr); u16 attr_data_len =3D get_unaligned_be16(attr_ptr + 2); u16 attr_len =3D attr_data_len + 4; --=20 2.54.0