Re: [PATCH v2] staging: rtl8723bs: fix remote heap information disclosure in issue_assocreq

[Dan Carpenter <error27@gmail.com>]

On Wed, Apr 15, 2026 at 12:55:48PM +0200, Luka Gejak wrote:
> On Wed Apr 15, 2026 at 10:58 AM CEST, Dan Carpenter wrote:
> > On Wed, Apr 15, 2026 at 07:03:02AM +0200, luka.gejak@linux.dev wrote:
> >> From: Luka Gejak <luka.gejak@linux.dev>
> >> 
> >> When building an association request frame, the driver copies the
> >> ht capability ie using the attacker-controlled pIE->length from the
> >> ap's beacon. If the ap provides a length greater than the size of
> >> struct HT_caps_element (26 bytes), it causes an out-of-bounds read
> >> of the adjacent heap memory (HT_info and network structures).
> >> This uninitialized or sensitive memory is then transmitted over the air,
> >> resulting in a remote heap information disclosure.
> >> 
> >> Fix this by clamping the length passed to rtw_set_ie() to the actual
> >> size of struct HT_caps_element.
> >> 
> >> Fixes: 554c0a3abf21 ("staging: Add rtl8723bs sdio wifi driver")
> >> Cc: stable@vger.kernel.org
> >> Signed-off-by: Luka Gejak <luka.gejak@linux.dev>
> >> ---
> >> ---
> >> Changes in v2:
> >> - Refactored rtw_set_ie() alignment to follow "open parenthesis" style.
> >> - Allowed the line length to exceed 100 characters for better readability as requested by Greg KH.
> >> 
> >>  drivers/staging/rtl8723bs/core/rtw_mlme_ext.c | 4 +++-
> >>  1 file changed, 3 insertions(+), 1 deletion(-)
> >> 
> >> diff --git a/drivers/staging/rtl8723bs/core/rtw_mlme_ext.c b/drivers/staging/rtl8723bs/core/rtw_mlme_ext.c
> >> index 5f00fe282d1b..08e597bc0345 100644
> >> --- a/drivers/staging/rtl8723bs/core/rtw_mlme_ext.c
> >> +++ b/drivers/staging/rtl8723bs/core/rtw_mlme_ext.c
> >> @@ -2954,7 +2954,9 @@ void issue_assocreq(struct adapter *padapter)
> >>  			if (padapter->mlmepriv.htpriv.ht_option) {
> >>  				if (!(is_ap_in_tkip(padapter))) {
> >>  					memcpy(&(pmlmeinfo->HT_caps), pIE->data, sizeof(struct HT_caps_element));
> >> -					pframe = rtw_set_ie(pframe, WLAN_EID_HT_CAPABILITY, pIE->length, (u8 *)(&(pmlmeinfo->HT_caps)), &(pattrib->pktlen));
> >> +					pframe = rtw_set_ie(pframe, WLAN_EID_HT_CAPABILITY,
> >> +							    min_t(uint, pIE->length, sizeof(struct HT_caps_element)),
> >> +							    (u8 *)&pmlmeinfo->HT_caps, &pattrib->pktlen);
> >
> > You're being conservative and trying to work around the invalid
> > pIE->length, but in the case where the original code corrupts memory,
> > we're allow to just give up and return a failure.
> >
> > There are two other cases where we trust pIE->length in this function
> > and those need to be fixed as well.
> >
> > regards,
> > dan carpenter
> 
> Hi Dan,
> should I keep my approach as is or just return failure. I will fix other
> cases as well with whatever approach you consider correct.

You should return a failure.

regards,
dan carpenter