From mboxrd@z Thu Jan 1 00:00:00 1970 Received: from smtp.kernel.org (aws-us-west-2-korg-mail-alma10-1.taild15c8.ts.net [100.103.45.18]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id 81100425875; Thu, 16 Jul 2026 14:05:47 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=100.103.45.18 ARC-Seal:i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1784210748; cv=none; b=HQgXF6S/DbmRNTaattKE9+tMXPHygeSHC3+f/SfarW3Habja0jFL79LCTCKokxo3jw4zT2o9DSLFHHXxowihAt8tZ76QQHUW7Afg+gwyFUXYeMI5NC4qNEqk/JDA0EE+wirLJkdMVfwAiVggQyLshgDX2wrBuTpxOWGrGODl7ic= ARC-Message-Signature:i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1784210748; c=relaxed/simple; bh=prjlzUKnCwzhN4wK0BxfqWwwS8Z4b5BWBw2nEYuJVVw=; h=From:To:Cc:Subject:Date:Message-ID:In-Reply-To:References: MIME-Version; b=tADviw7e6Yve3YWJG0ZDQCe7IQphl2s/A/UubL3cOxY8le3RUYFNepaW1dfiLzBzn559mmStNnf5x3ceM6bDyr0i1/iOSgaSeFrzJv9MtAwHhRcURp+tLMe/jF5RWpgCIoyd0Z/b677Ee1hh4kcBmZOhFm4AXQ63MCTI/RrOmok= ARC-Authentication-Results:i=1; smtp.subspace.kernel.org; dkim=pass (1024-bit key) header.d=linuxfoundation.org header.i=@linuxfoundation.org header.b=bu6G5GHq; arc=none smtp.client-ip=100.103.45.18 Authentication-Results: smtp.subspace.kernel.org; dkim=pass (1024-bit key) header.d=linuxfoundation.org header.i=@linuxfoundation.org header.b="bu6G5GHq" Received: by smtp.kernel.org (Postfix) with ESMTPSA id E62B11F000E9; Thu, 16 Jul 2026 14:05:46 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=linuxfoundation.org; s=korg; t=1784210747; bh=sBvSsc50wtsr/tu+047E5hUOGApsPA/JrFlvtz0eQ6g=; h=From:To:Cc:Subject:Date:In-Reply-To:References; b=bu6G5GHqMIsAUQCQFkNslfCjntlUpucmiKiF1o4PwjClVSKBfAYaJCvbwxxCSsfxS WATwa7uLqUNtu6CcFpFsUBkHy5NxjdfRayiHfj8FrdBpJgAbaU/PJNAnbdJ3YDDm6D 4gHbCwtifkfyjdJNh6DIvAAm3SrwaFecYChHiUNo= From: Greg Kroah-Hartman To: stable@vger.kernel.org Cc: Greg Kroah-Hartman , patches@lists.linux.dev, stable , Luka Gejak , Alexandru Hossu Subject: [PATCH 6.18 165/480] staging: rtl8723bs: fix OOB read in update_beacon_info() IE loop Date: Thu, 16 Jul 2026 15:28:32 +0200 Message-ID: <20260716133048.277720295@linuxfoundation.org> X-Mailer: git-send-email 2.55.0 In-Reply-To: <20260716133044.672218725@linuxfoundation.org> References: <20260716133044.672218725@linuxfoundation.org> User-Agent: quilt/0.69 X-stable: review X-Patchwork-Hint: ignore Precedence: bulk X-Mailing-List: patches@lists.linux.dev List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 Content-Transfer-Encoding: 8bit 6.18-stable review patch. If anyone has any objections, please let me know. ------------------ From: Alexandru Hossu commit ed51de4a86e173c3b0ef78e039c2e49e08b11f16 upstream. The IE parsing loop in update_beacon_info() advances by (pIE->length + 2) each iteration but only guards on i < len. When a malicious AP sends a Beacon whose last IE has only one byte remaining in the frame (the element_id byte lands at len-1), the loop reads pIE->length from one byte past the allocated receive buffer. Additionally, even when the header bytes are in bounds, pIE->length itself can extend the data window beyond len, passing a truncated IE to the handler functions. Add two guards at the top of the loop body: 1. Break if fewer than sizeof(*pIE) bytes remain (can't read header). 2. Break if the IE's declared data extends past len. Also replace i += (pIE->length + 2) with i += sizeof(*pIE) + pIE->length for consistency with the sizeof(*pIE) guards added above. Fixes: 554c0a3abf21 ("staging: Add rtl8723bs sdio wifi driver") Cc: stable Reviewed-by: Luka Gejak Signed-off-by: Alexandru Hossu Link: https://patch.msgid.link/20260522004531.1038924-2-hossu.alexandru@gmail.com Signed-off-by: Greg Kroah-Hartman --- drivers/staging/rtl8723bs/core/rtw_wlan_util.c | 6 +++++- 1 file changed, 5 insertions(+), 1 deletion(-) --- a/drivers/staging/rtl8723bs/core/rtw_wlan_util.c +++ b/drivers/staging/rtl8723bs/core/rtw_wlan_util.c @@ -1288,7 +1288,11 @@ void update_beacon_info(struct adapter * len = pkt_len - (_BEACON_IE_OFFSET_ + WLAN_HDR_A3_LEN); for (i = 0; i < len;) { + if (i + sizeof(*pIE) > len) + break; pIE = (struct ndis_80211_var_ie *)(pframe + (_BEACON_IE_OFFSET_ + WLAN_HDR_A3_LEN) + i); + if (i + sizeof(*pIE) + pIE->length > len) + break; switch (pIE->element_id) { case WLAN_EID_VENDOR_SPECIFIC: @@ -1313,7 +1317,7 @@ void update_beacon_info(struct adapter * break; } - i += (pIE->length + 2); + i += sizeof(*pIE) + pIE->length; } }