* [PATCH v6] staging: rtl8723bs: fix remote heap info disclosure and OOB reads
@ 2026-05-14 9:05 luka.gejak
0 siblings, 0 replies; only message in thread
From: luka.gejak @ 2026-05-14 9:05 UTC (permalink / raw)
To: Greg Kroah-Hartman; +Cc: linux-staging, linux-kernel, Luka Gejak, stable
From: Luka Gejak <luka.gejak@linux.dev>
When building an association request frame, the driver iterates over
the ies received from the ap. In three places, the driver trusts the
attacker-controlled pIE->length without validating that it meets the
minimum expected size for the respective ie.
For WLAN_EID_HT_CAPABILITY, this causes an oob read of adjacent heap
memory which is then transmitted over the air (remote heap information
disclosure). For WLAN_EID_VENDOR_SPECIFIC, it causes two separate oob
reads: one when checking the 4-byte oui, and another when copying the
14-byte wps ie.
Fix these issues by adding upper-bound checks at the start of the loop
to ensure the ie fits within the buffer, and explicit lower-bound
checks to return a failure if the length is insufficient. For
HT_CAPABILITY, also clamp the length passed to rtw_set_ie() to the
struct size.
Fixes: 554c0a3abf21 ("staging: Add rtl8723bs sdio wifi driver")
Cc: stable@vger.kernel.org
Signed-off-by: Luka Gejak <luka.gejak@linux.dev>
---
Changes in v6:
- Restore full changes history.
Changes in v5:
- Address sashiko comments.
Changes in v4:
- Added upper-bound checks at the start of the loop to ensure the ie
fits within the received buffer, as pointed out by Dan.
- Updated commit message to reflect the addition of upper-bound checks.
Changes in v3:
- Switched to fail-fast handling for malformed IEs in issue_assocreq().
- Fixed HT capability path to use structure-sized output length in
rtw_set_ie().
- Updated commit message to reflect all oob read cases.
Changes in v2:
- Refactored rtw_set_ie() alignment to follow "open parenthesis" style.
- Allowed the line length to exceed 100 characters for better
readability as requested by Greg KH.
drivers/staging/rtl8723bs/core/rtw_mlme_ext.c | 32 ++++++++++++++++++-
.../staging/rtl8723bs/core/rtw_wlan_util.c | 6 ++++
2 files changed, 37 insertions(+), 1 deletion(-)
diff --git a/drivers/staging/rtl8723bs/core/rtw_mlme_ext.c b/drivers/staging/rtl8723bs/core/rtw_mlme_ext.c
index cfd3eb253350..e448a814eb1c 100644
--- a/drivers/staging/rtl8723bs/core/rtw_mlme_ext.c
+++ b/drivers/staging/rtl8723bs/core/rtw_mlme_ext.c
@@ -2862,6 +2862,9 @@ void issue_assocreq(struct adapter *padapter)
if (pmlmeinfo->network.supported_rates[i] == 0)
break;
+ if (index >= NumRates)
+ break;
+
/* Check if the AP's supported rates are also supported by STA. */
for (j = 0; j < sta_bssrate_len; j++) {
/* Avoid the proprietary data rate (22Mbps) of Handlink WSG-4000 AP */
@@ -2891,10 +2894,25 @@ void issue_assocreq(struct adapter *padapter)
/* vendor specific IE, such as WPA, WMM, WPS */
for (i = sizeof(struct ndis_802_11_fix_ie); i < pmlmeinfo->network.ie_length;) {
+ if (i + 2 > pmlmeinfo->network.ie_length) {
+ rtw_free_xmitbuf(pxmitpriv, pmgntframe->pxmitbuf);
+ rtw_free_xmitframe(pxmitpriv, pmgntframe);
+ goto exit;
+ }
+
pIE = (struct ndis_80211_var_ie *)(pmlmeinfo->network.ies + i);
+ if (pIE->length > pmlmeinfo->network.ie_length - i - 2) {
+ rtw_free_xmitbuf(pxmitpriv, pmgntframe->pxmitbuf);
+ rtw_free_xmitframe(pxmitpriv, pmgntframe);
+ goto exit;
+ }
+
switch (pIE->element_id) {
case WLAN_EID_VENDOR_SPECIFIC:
+ if (pIE->length < 4)
+ goto exit;
+
if ((!memcmp(pIE->data, RTW_WPA_OUI, 4)) ||
(!memcmp(pIE->data, WMM_OUI, 4)) ||
(!memcmp(pIE->data, WPS_OUI, 4))) {
@@ -2906,6 +2924,9 @@ void issue_assocreq(struct adapter *padapter)
* extensions information to AP
*/
+ if (pIE->length < 14)
+ goto exit;
+
vs_ie_length = 14;
}
@@ -2919,8 +2940,17 @@ void issue_assocreq(struct adapter *padapter)
case WLAN_EID_HT_CAPABILITY:
if (padapter->mlmepriv.htpriv.ht_option) {
if (!(is_ap_in_tkip(padapter))) {
+ if (pIE->length < sizeof(struct HT_caps_element)) {
+ rtw_free_xmitbuf(pxmitpriv, pmgntframe->pxmitbuf);
+ rtw_free_xmitframe(pxmitpriv, pmgntframe);
+ goto exit;
+ }
+
memcpy(&(pmlmeinfo->HT_caps), pIE->data, sizeof(struct HT_caps_element));
- pframe = rtw_set_ie(pframe, WLAN_EID_HT_CAPABILITY, pIE->length, (u8 *)(&(pmlmeinfo->HT_caps)), &(pattrib->pktlen));
+ pframe = rtw_set_ie(pframe, WLAN_EID_HT_CAPABILITY,
+ sizeof(struct HT_caps_element),
+ (u8 *)&pmlmeinfo->HT_caps,
+ &pattrib->pktlen);
}
}
break;
diff --git a/drivers/staging/rtl8723bs/core/rtw_wlan_util.c b/drivers/staging/rtl8723bs/core/rtw_wlan_util.c
index cc1a7497764c..dc4abef3a7b8 100644
--- a/drivers/staging/rtl8723bs/core/rtw_wlan_util.c
+++ b/drivers/staging/rtl8723bs/core/rtw_wlan_util.c
@@ -1327,8 +1327,14 @@ unsigned int is_ap_in_tkip(struct adapter *padapter)
if (rtw_get_capability((struct wlan_bssid_ex *)cur_network) & WLAN_CAPABILITY_PRIVACY) {
for (i = sizeof(struct ndis_802_11_fix_ie); i < pmlmeinfo->network.ie_length;) {
+ if (i + 2 > pmlmeinfo->network.ie_length)
+ return false;
+
pIE = (struct ndis_80211_var_ie *)(pmlmeinfo->network.ies + i);
+ if (pIE->length > pmlmeinfo->network.ie_length - i - 2)
+ return false;
+
switch (pIE->element_id) {
case WLAN_EID_VENDOR_SPECIFIC:
if ((!memcmp(pIE->data, RTW_WPA_OUI, 4)) && (!memcmp((pIE->data + 12), WPA_TKIP_CIPHER, 4)))
--
2.54.0
^ permalink raw reply related [flat|nested] only message in thread
only message in thread, other threads:[~2026-05-14 9:05 UTC | newest]
Thread overview: (only message) (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2026-05-14 9:05 [PATCH v6] staging: rtl8723bs: fix remote heap info disclosure and OOB reads luka.gejak
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.