From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
To: Luka Gejak <luka.gejak@linux.dev>
Cc: linux-staging@lists.linux.dev, linux-kernel@vger.kernel.org
Subject: Re: [PATCH] staging: rtl8723bs: fix OOB write in HT_caps_handler()
Date: Sun, 26 Apr 2026 21:27:39 +0200 [thread overview]
Message-ID: <2026042612-twiddle-disparate-ebef@gregkh> (raw)
In-Reply-To: <DHT3IJS5RI4B.1GG2CZL3B47RU@linux.dev>
On Tue, Apr 14, 2026 at 08:39:59PM +0200, Luka Gejak wrote:
> On Tue Apr 14, 2026 at 7:19 PM CEST, Greg Kroah-Hartman wrote:
> > HT_caps_handler() loops up to pIE->length, the IE length byte taken
> > directly from an over-the-air association response, and uses the counter
> > to index pmlmeinfo->HT_caps.u.HT_cap[26]. A malicious AP can supply an
> > HT capabilities IE with a length byte up to 255, AND-writing into
> > adjacent fields of struct mlme_ext_info. This is reachable in station
> > mode (the default) via OnAssocRsp.
> >
> > HT_info_handler() already rejects oversized IEs so do the same thing in
> > HT_caps_handler() to resolve this.
> >
> > Fixes: 554c0a3abf21 ("staging: Add rtl8723bs sdio wifi driver")
> > Assisted-by: gregkh_clanker_t1000
> > Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
> > ---
> > drivers/staging/rtl8723bs/core/rtw_wlan_util.c | 3 +++
> > 1 file changed, 3 insertions(+)
> >
> > diff --git a/drivers/staging/rtl8723bs/core/rtw_wlan_util.c b/drivers/staging/rtl8723bs/core/rtw_wlan_util.c
> > index 3242978da36c..a2e016c6a01f 100644
> > --- a/drivers/staging/rtl8723bs/core/rtw_wlan_util.c
> > +++ b/drivers/staging/rtl8723bs/core/rtw_wlan_util.c
> > @@ -932,6 +932,9 @@ void HT_caps_handler(struct adapter *padapter, struct ndis_80211_var_ie *pIE)
> > if (phtpriv->ht_option == false)
> > return;
> >
> > + if (pIE->length > sizeof(pmlmeinfo->HT_caps))
> > + return;
> > +
> > pmlmeinfo->HT_caps_enable = 1;
> >
> > for (i = 0; i < (pIE->length); i++) {
>
> Good catch. Trusting pIE->length blindly from an unauthenticated
> association response is a classic oob write vector. Since HT_cap is
> fixed-size within the mlme_ext_info struct, this is a clear remote heap
> corruption risk if a malicious AP is in range.
> Reviewed-by: Luka Gejak <luka.gejak@linux.dev>
And it's wrong, as per the AI review :(
Also, you have trailing whitespace on your review comments :)
thanks,
greg k-h
next prev parent reply other threads:[~2026-04-27 3:50 UTC|newest]
Thread overview: 9+ messages / expand[flat|nested] mbox.gz Atom feed top
2026-04-14 17:19 [PATCH] staging: rtl8723bs: fix OOB write in HT_caps_handler() Greg Kroah-Hartman
2026-04-14 18:39 ` Luka Gejak
2026-04-26 19:27 ` Greg Kroah-Hartman [this message]
-- strict thread matches above, loose matches on Subject: below --
2026-05-15 10:42 Alexandru Hossu
2026-05-15 10:51 ` Dan Carpenter
2026-05-15 11:35 ` Greg KH
2026-05-15 12:57 ` Alexandru Hossu
2026-05-15 13:01 ` M.samet Duman
2026-05-15 13:12 ` Alexandru Hossu
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=2026042612-twiddle-disparate-ebef@gregkh \
--to=gregkh@linuxfoundation.org \
--cc=linux-kernel@vger.kernel.org \
--cc=linux-staging@lists.linux.dev \
--cc=luka.gejak@linux.dev \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.