From: luka.gejak@linux.dev
To: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Cc: Luka Gejak <luka.gejak@linux.dev>,
linux-staging@lists.linux.dev, linux-kernel@vger.kernel.org,
Dan Carpenter <error27@gmail.com>,
stable@vger.kernel.org
Subject: [PATCH] staging: rtl8723bs: fix remote heap information disclosure in issue_assocreq
Date: Tue, 14 Apr 2026 21:49:45 +0200 [thread overview]
Message-ID: <20260414194945.138626-1-luka.gejak@linux.dev> (raw)
From: Luka Gejak <luka.gejak@linux.dev>
When building an association request frame, the driver copies the
ht capability ie using the attacker-controlled pIE->length from the
ap's beacon. If the ap provides a length greater than the size of
struct HT_caps_element (26 bytes), it causes an out-of-bounds read
of the adjacent heap memory (HT_info and network structures).
This uninitialized or sensitive memory is then transmitted over the air,
resulting in a remote heap information disclosure.
Fix this by clamping the length passed to rtw_set_ie() to the actual
size of struct HT_caps_element.
Fixes: 554c0a3abf21 ("staging: Add rtl8723bs sdio wifi driver")
Cc: stable@vger.kernel.org
Signed-off-by: Luka Gejak <luka.gejak@linux.dev>
---
Note: Note: Alignment of arguments in rtw_set_ie() is intentionally
like that to avoid WARNING: line length of 105 exceeds 100 columns.
drivers/staging/rtl8723bs/core/rtw_mlme_ext.c | 4 +++-
1 file changed, 3 insertions(+), 1 deletion(-)
diff --git a/drivers/staging/rtl8723bs/core/rtw_mlme_ext.c b/drivers/staging/rtl8723bs/core/rtw_mlme_ext.c
index 5f00fe282d1b..a5f30c3fd47e 100644
--- a/drivers/staging/rtl8723bs/core/rtw_mlme_ext.c
+++ b/drivers/staging/rtl8723bs/core/rtw_mlme_ext.c
@@ -2954,7 +2954,9 @@ void issue_assocreq(struct adapter *padapter)
if (padapter->mlmepriv.htpriv.ht_option) {
if (!(is_ap_in_tkip(padapter))) {
memcpy(&(pmlmeinfo->HT_caps), pIE->data, sizeof(struct HT_caps_element));
- pframe = rtw_set_ie(pframe, WLAN_EID_HT_CAPABILITY, pIE->length, (u8 *)(&(pmlmeinfo->HT_caps)), &(pattrib->pktlen));
+ pframe = rtw_set_ie(pframe, WLAN_EID_HT_CAPABILITY,
+ min_t(uint, pIE->length, sizeof(struct HT_caps_element)),
+ (u8 *)&pmlmeinfo->HT_caps, &pattrib->pktlen);
}
}
break;
--
2.53.0
next reply other threads:[~2026-04-14 19:50 UTC|newest]
Thread overview: 2+ messages / expand[flat|nested] mbox.gz Atom feed top
2026-04-14 19:49 luka.gejak [this message]
2026-04-15 4:54 ` [PATCH] staging: rtl8723bs: fix remote heap information disclosure in issue_assocreq Greg Kroah-Hartman
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20260414194945.138626-1-luka.gejak@linux.dev \
--to=luka.gejak@linux.dev \
--cc=error27@gmail.com \
--cc=gregkh@linuxfoundation.org \
--cc=linux-kernel@vger.kernel.org \
--cc=linux-staging@lists.linux.dev \
--cc=stable@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.