staging: rtl8723bs: OOB write in HT_caps_handler() via attacker-controlled IE length

All of lore.kernel.org
 help / color / mirror / Atom feed

* staging: rtl8723bs: OOB write in HT_caps_handler() via attacker-controlled IE length
@ 2026-05-15 10:29 Alexandru Hossu
  2026-05-15 10:35 ` Greg KH
  0 siblings, 1 reply; 2+ messages in thread
From: Alexandru Hossu @ 2026-05-15 10:29 UTC (permalink / raw)
  To: linux-staging; +Cc: gregkh, dan.carpenter

Hi,

I found an out-of-bounds write in HT_caps_handler() in
drivers/staging/rtl8723bs/core/rtw_wlan_util.c.

At line 938-942:

    for (i = 0; i < (pIE->length); i++) {
        if (i != 2) {
            pmlmeinfo->HT_caps.u.HT_cap[i] &= (pIE->data[i]);

HT_cap[] is 26 bytes (wifi.h:349). pIE->length comes from the
WLAN_EID_HT_CAPABILITY IE in an association response and can be up to 255.
The loop writes up to 229 bytes past the end of the array.

A rogue access point triggers this by sending an HT Capability IE with
length > 26 in the association response. No authentication is needed.

The write is AND-only so it can only clear bits in adjacent struct fields
(HT_info, wlan_bssid_ex). This causes state corruption and can crash the
driver. The RTL8723BS chip is in a large number of cheap laptops and IoT
devices.

Suggested fix:

    u8 ht_cap_len = min_t(u8, pIE->length,
                          sizeof(pmlmeinfo->HT_caps.u.HT_cap));
    for (i = 0; i < ht_cap_len; i++) {

Tested on linux-next commit e98d21c170b0 (2026-05-08).

Alexandru

^ permalink raw reply	[flat|nested] 2+ messages in thread

* Re: staging: rtl8723bs: OOB write in HT_caps_handler() via attacker-controlled IE length
  2026-05-15 10:29 staging: rtl8723bs: OOB write in HT_caps_handler() via attacker-controlled IE length Alexandru Hossu
@ 2026-05-15 10:35 ` Greg KH
  0 siblings, 0 replies; 2+ messages in thread
From: Greg KH @ 2026-05-15 10:35 UTC (permalink / raw)
  To: Alexandru Hossu; +Cc: linux-staging, dan.carpenter

On Fri, May 15, 2026 at 03:29:21AM -0700, Alexandru Hossu wrote:
> Hi,
> 
> I found an out-of-bounds write in HT_caps_handler() in
> drivers/staging/rtl8723bs/core/rtw_wlan_util.c.
> 
> At line 938-942:
> 
>     for (i = 0; i < (pIE->length); i++) {
>         if (i != 2) {
>             pmlmeinfo->HT_caps.u.HT_cap[i] &= (pIE->data[i]);
> 
> HT_cap[] is 26 bytes (wifi.h:349). pIE->length comes from the
> WLAN_EID_HT_CAPABILITY IE in an association response and can be up to 255.
> The loop writes up to 229 bytes past the end of the array.
> 
> A rogue access point triggers this by sending an HT Capability IE with
> length > 26 in the association response. No authentication is needed.
> 
> The write is AND-only so it can only clear bits in adjacent struct fields
> (HT_info, wlan_bssid_ex). This causes state corruption and can crash the
> driver. The RTL8723BS chip is in a large number of cheap laptops and IoT
> devices.
> 
> Suggested fix:
> 
>     u8 ht_cap_len = min_t(u8, pIE->length,
>                           sizeof(pmlmeinfo->HT_caps.u.HT_cap));
>     for (i = 0; i < ht_cap_len; i++) {
> 
> Tested on linux-next commit e98d21c170b0 (2026-05-08).
> 
> Alexandru

Great, please send a fix!

thanks,

greg k-h

^ permalink raw reply	[flat|nested] 2+ messages in thread

end of thread, other threads:[~2026-05-15 10:35 UTC | newest]

Thread overview: 2+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2026-05-15 10:29 staging: rtl8723bs: OOB write in HT_caps_handler() via attacker-controlled IE length Alexandru Hossu
2026-05-15 10:35 ` Greg KH

This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.