From: Dan Carpenter <error27@gmail.com>
To: Alexandru Hossu <hossu.alexandru@gmail.com>
Cc: gregkh@linuxfoundation.org, linux-staging@lists.linux.dev
Subject: Re: [PATCH 1/3] staging: rtl8723bs: fix OOB read in update_beacon_info() IE loop
Date: Sat, 25 Apr 2026 14:42:48 +0300 [thread overview]
Message-ID: <aeyouDLjj7tV3ZcF@stanley.mountain> (raw)
In-Reply-To: <20260424151932.3734611-2-hossu.alexandru@gmail.com>
On Fri, Apr 24, 2026 at 05:19:30PM +0200, Alexandru Hossu wrote:
> The IE parsing loop in update_beacon_info() advances by (pIE->length + 2)
> each iteration but only guards on i < len. When a malicious AP sends a
> beacon whose last IE has only one byte remaining in the frame (the
> element_id byte lands at len-1), the loop reads pIE->length from one byte
> past the IE area.
>
> Additionally, even when the header bytes are in bounds, pIE->length itself
> can extend the data window beyond len, silently passing a truncated IE to
> handler functions such as bwmode_update_check() and ERP_IE_handler().
>
> The parallel fix already applied to OnAssocRsp() uses two guards:
> 1. Break if fewer than sizeof(*pIE) bytes remain (can't read the header).
> 2. Break if the IE's declared data extends past the frame boundary.
>
> Apply the same pattern to update_beacon_info().
>
> Signed-off-by: Alexandru Hossu <hossu.alexandru@gmail.com>
> ---
> drivers/staging/rtl8723bs/core/rtw_wlan_util.c | 4 ++++
> 1 file changed, 4 insertions(+)
>
> diff --git a/drivers/staging/rtl8723bs/core/rtw_wlan_util.c b/drivers/staging/rtl8723bs/core/rtw_wlan_util.c
> index b75e7f4f8d27..551d7200d3a9 100644
> --- a/drivers/staging/rtl8723bs/core/rtw_wlan_util.c
> +++ b/drivers/staging/rtl8723bs/core/rtw_wlan_util.c
> @@ -1292,7 +1292,11 @@ void update_beacon_info(struct adapter *padapter, u8 *pframe, uint pkt_len, stru
> len = pkt_len - (_BEACON_IE_OFFSET_ + WLAN_HDR_A3_LEN);
>
> for (i = 0; i < len;) {
> + if (i + sizeof(*pIE) > len)
> + break;
At the end of the function it does:
i += (pIE->length + 2);
Could you change that to:
i += sizeof(*pIE) + pIE->length;
The original works, but it would be better if all three checks were
consistent.
regards,
dan carpenter
next prev parent reply other threads:[~2026-04-25 11:42 UTC|newest]
Thread overview: 7+ messages / expand[flat|nested] mbox.gz Atom feed top
2026-04-24 15:19 [PATCH 0/3] staging: rtl8723bs: fix OOB reads and heap overflow in IE parsing Alexandru Hossu
2026-04-24 15:19 ` [PATCH 1/3] staging: rtl8723bs: fix OOB read in update_beacon_info() IE loop Alexandru Hossu
2026-04-25 11:42 ` Dan Carpenter [this message]
2026-04-24 15:19 ` [PATCH 2/3] staging: rtl8723bs: fix OOB reads in IE loops in issue_assocreq() and join_cmd_hdl() Alexandru Hossu
2026-04-24 15:19 ` [PATCH 3/3] staging: rtl8723bs: fix heap buffer overflow in rtw_cfg80211_set_wpa_ie() Alexandru Hossu
2026-04-25 12:10 ` Dan Carpenter
2026-04-24 16:05 ` [PATCH 0/3] staging: rtl8723bs: fix OOB reads and heap overflow in IE parsing Luka Gejak
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=aeyouDLjj7tV3ZcF@stanley.mountain \
--to=error27@gmail.com \
--cc=gregkh@linuxfoundation.org \
--cc=hossu.alexandru@gmail.com \
--cc=linux-staging@lists.linux.dev \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.