From: Dan Carpenter <error27@gmail.com>
To: Alexandru Hossu <hossu.alexandru@gmail.com>
Cc: greg@kroah.com, dan.carpenter@linaro.org,
linux-staging@lists.linux.dev, linux-kernel@vger.kernel.org
Subject: Re: [PATCH v2] staging: rtl8723bs: fix OOB read in update_beacon_info() IE loop
Date: Sat, 25 Apr 2026 15:11:54 +0300 [thread overview]
Message-ID: <aeyvikR0uECYRY6X@stanley.mountain> (raw)
In-Reply-To: <20260425115936.2899314-1-hossu.alexandru@gmail.com>
On Sat, Apr 25, 2026 at 01:59:36PM +0200, Alexandru Hossu wrote:
> The IE parsing loop in update_beacon_info() advances by
> (pIE->length + 2) each iteration but only guards on i < len.
> When a malicious AP sends a Beacon whose last IE has only one byte
> remaining in the frame (the element_id byte lands at len-1), the loop
> reads pIE->length from one byte past the allocated receive buffer.
>
> Additionally, even when the header bytes are in bounds, pIE->length
> itself can extend the data window beyond len, passing a truncated IE
> to the handler functions.
>
> Add two guards at the top of the loop body:
> 1. Break if fewer than sizeof(*pIE) bytes remain (can't read header).
> 2. Break if the IE's declared data extends past len.
>
> Also replace i += (pIE->length + 2) with i += sizeof(*pIE) + pIE->length
> for consistency with the sizeof(*pIE) guards added above.
>
> Signed-off-by: Alexandru Hossu <hossu.alexandru@gmail.com>
> ---
> v2: Replace i += (pIE->length + 2) with i += sizeof(*pIE) + pIE->length
> for consistency with the sizeof(*pIE) guards (Dan Carpenter).
Please wait a day between resends and resend the whole series.
regards,
dan carpenter
prev parent reply other threads:[~2026-04-25 12:12 UTC|newest]
Thread overview: 2+ messages / expand[flat|nested] mbox.gz Atom feed top
2026-04-25 11:59 [PATCH v2] staging: rtl8723bs: fix OOB read in update_beacon_info() IE loop Alexandru Hossu
2026-04-25 12:11 ` Dan Carpenter [this message]
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=aeyvikR0uECYRY6X@stanley.mountain \
--to=error27@gmail.com \
--cc=dan.carpenter@linaro.org \
--cc=greg@kroah.com \
--cc=hossu.alexandru@gmail.com \
--cc=linux-kernel@vger.kernel.org \
--cc=linux-staging@lists.linux.dev \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.