From: "Luka Gejak" <luka.gejak@linux.dev>
To: "Alexandru Hossu" <hossu.alexandru@gmail.com>,
<gregkh@linuxfoundation.org>
Cc: <linux-staging@lists.linux.dev>
Subject: Re: [PATCH 0/3] staging: rtl8723bs: fix OOB reads and heap overflow in IE parsing
Date: Fri, 24 Apr 2026 18:05:14 +0200 [thread overview]
Message-ID: <DI1IHIF0D6K2.1IU19G9JW5YEG@linux.dev> (raw)
In-Reply-To: <20260424151932.3734611-1-hossu.alexandru@gmail.com>
On Fri Apr 24, 2026 at 5:19 PM CEST, Alexandru Hossu wrote:
> This series fixes three related bugs in the rtl8723bs staging driver's
> 802.11 IE parsing code. All three follow the same root cause: IE parsing
> loops and IE handler functions do not validate that an IE's declared length
> fits within the actual frame/buffer before operating on it.
>
> Patch 1 and 2 fix OOB reads in three IE parsing loops
> (update_beacon_info, issue_assocreq, join_cmd_hdl) that lack the two-guard
> pattern already applied to OnAssocRsp() in a previous fix. A malicious AP
> sending a beacon or association response with a truncated final IE (e.g.,
> only the element_id byte present, no length byte) causes the loop to read
> pIE->length one byte past the end of the IE area.
>
> Patch 3 fixes a one-byte heap buffer overflow in rtw_cfg80211_set_wpa_ie().
> supplicant_ie is a 256-byte array in struct security_priv. Because
> wpa_ielen is taken directly from the IE length field (u8, 0-255), the copy:
>
> memcpy(supplicant_ie, pwpa, wpa_ielen + 2);
>
> can write up to 257 bytes. rtw_parse_wpa_ie()'s own length consistency
> check silently passes because it casts the arithmetic to u8:
> (u8)(257 - 2) == 255 == wpa_ielen. The overflow is triggered via
> NL80211_CMD_CONNECT with a crafted WPA IE of length 255; nl80211's
> validate_ie_attr() accepts this as a well-formed (though oversized) IE.
>
> Alexandru Hossu (3):
> staging: rtl8723bs: fix OOB read in update_beacon_info() IE loop
> staging: rtl8723bs: fix OOB reads in IE loops in issue_assocreq() and
> join_cmd_hdl()
> staging: rtl8723bs: fix heap buffer overflow in
> rtw_cfg80211_set_wpa_ie()
>
> drivers/staging/rtl8723bs/core/rtw_mlme_ext.c | 8 ++++++++
> drivers/staging/rtl8723bs/core/rtw_wlan_util.c | 4 ++++
> drivers/staging/rtl8723bs/os_dep/ioctl_cfg80211.c | 8 ++++++++
> 3 files changed, 20 insertions(+)
LGTM so for the patch series:
Reviewed-by: Luka Gejak <luka.gejak@linux.dev>
Best regards,
Luka Gejak
prev parent reply other threads:[~2026-04-24 16:05 UTC|newest]
Thread overview: 7+ messages / expand[flat|nested] mbox.gz Atom feed top
2026-04-24 15:19 [PATCH 0/3] staging: rtl8723bs: fix OOB reads and heap overflow in IE parsing Alexandru Hossu
2026-04-24 15:19 ` [PATCH 1/3] staging: rtl8723bs: fix OOB read in update_beacon_info() IE loop Alexandru Hossu
2026-04-25 11:42 ` Dan Carpenter
2026-04-24 15:19 ` [PATCH 2/3] staging: rtl8723bs: fix OOB reads in IE loops in issue_assocreq() and join_cmd_hdl() Alexandru Hossu
2026-04-24 15:19 ` [PATCH 3/3] staging: rtl8723bs: fix heap buffer overflow in rtw_cfg80211_set_wpa_ie() Alexandru Hossu
2026-04-25 12:10 ` Dan Carpenter
2026-04-24 16:05 ` Luka Gejak [this message]
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=DI1IHIF0D6K2.1IU19G9JW5YEG@linux.dev \
--to=luka.gejak@linux.dev \
--cc=gregkh@linuxfoundation.org \
--cc=hossu.alexandru@gmail.com \
--cc=linux-staging@lists.linux.dev \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.