From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
To: stable@vger.kernel.org
Cc: Greg Kroah-Hartman <gregkh@linuxfoundation.org>,
patches@lists.linux.dev, Navaneeth K <knavaneeth786@gmail.com>,
stable <stable@kernel.org>
Subject: [PATCH 6.18 27/29] staging: rtl8723bs: fix out-of-bounds read in rtw_get_ie() parser
Date: Wed, 10 Dec 2025 16:30:37 +0900 [thread overview]
Message-ID: <20251210072945.102463004@linuxfoundation.org> (raw)
In-Reply-To: <20251210072944.363788552@linuxfoundation.org>
6.18-stable review patch. If anyone has any objections, please let me know.
------------------
From: Navaneeth K <knavaneeth786@gmail.com>
commit 154828bf9559b9c8421fc2f0d7f7f76b3683aaed upstream.
The Information Element (IE) parser rtw_get_ie() trusted the length
byte of each IE without validating that the IE body (len bytes after
the 2-byte header) fits inside the remaining frame buffer. A malformed
frame can advertise an IE length larger than the available data, causing
the parser to increment its pointer beyond the buffer end. This results
in out-of-bounds reads or, depending on the pattern, an infinite loop.
Fix by validating that (offset + 2 + len) does not exceed the limit
before accepting the IE or advancing to the next element.
This prevents OOB reads and ensures the parser terminates safely on
malformed frames.
Signed-off-by: Navaneeth K <knavaneeth786@gmail.com>
Cc: stable <stable@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/staging/rtl8723bs/core/rtw_ieee80211.c | 14 ++++++++------
1 file changed, 8 insertions(+), 6 deletions(-)
--- a/drivers/staging/rtl8723bs/core/rtw_ieee80211.c
+++ b/drivers/staging/rtl8723bs/core/rtw_ieee80211.c
@@ -140,22 +140,24 @@ u8 *rtw_get_ie(u8 *pbuf, signed int inde
signed int tmp, i;
u8 *p;
- if (limit < 1)
+ if (limit < 2)
return NULL;
p = pbuf;
i = 0;
*len = 0;
- while (1) {
+ while (i + 2 <= limit) {
+ tmp = *(p + 1);
+ if (i + 2 + tmp > limit)
+ break;
+
if (*p == index) {
- *len = *(p + 1);
+ *len = tmp;
return p;
}
- tmp = *(p + 1);
+
p += (tmp + 2);
i += (tmp + 2);
- if (i >= limit)
- break;
}
return NULL;
}
next prev parent reply other threads:[~2025-12-10 7:36 UTC|newest]
Thread overview: 43+ messages / expand[flat|nested] mbox.gz Atom feed top
2025-12-10 7:30 [PATCH 6.18 00/29] 6.18.1-rc1 review Greg Kroah-Hartman
2025-12-10 7:30 ` [PATCH 6.18 01/29] Documentation: process: Also mention Sasha Levin as stable tree maintainer Greg Kroah-Hartman
2025-12-10 7:30 ` [PATCH 6.18 02/29] jbd2: avoid bug_on in jbd2_journal_get_create_access() when file system corrupted Greg Kroah-Hartman
2025-12-10 7:30 ` [PATCH 6.18 03/29] ext4: refresh inline data size before write operations Greg Kroah-Hartman
2025-12-10 7:30 ` [PATCH 6.18 04/29] ksmbd: ipc: fix use-after-free in ipc_msg_send_request Greg Kroah-Hartman
2025-12-10 7:30 ` [PATCH 6.18 05/29] locking/spinlock/debug: Fix data-race in do_raw_write_lock Greg Kroah-Hartman
2025-12-10 7:30 ` [PATCH 6.18 06/29] crypto: zstd - fix double-free in per-CPU stream cleanup Greg Kroah-Hartman
2025-12-10 7:30 ` [PATCH 6.18 07/29] ext4: add i_data_sem protection in ext4_destroy_inline_data_nolock() Greg Kroah-Hartman
2025-12-10 7:30 ` [PATCH 6.18 08/29] rust_binder: fix race condition on death_list Greg Kroah-Hartman
2025-12-10 7:30 ` [PATCH 6.18 09/29] comedi: pcl818: fix null-ptr-deref in pcl818_ai_cancel() Greg Kroah-Hartman
2025-12-10 7:30 ` [PATCH 6.18 10/29] KVM: SVM: Dont skip unrelated instruction if INT3/INTO is replaced Greg Kroah-Hartman
2025-12-10 7:30 ` [PATCH 6.18 11/29] USB: serial: option: add Foxconn T99W760 Greg Kroah-Hartman
2025-12-10 7:30 ` [PATCH 6.18 12/29] USB: serial: option: add Telit Cinterion FE910C04 new compositions Greg Kroah-Hartman
2025-12-10 7:30 ` [PATCH 6.18 13/29] USB: serial: option: move Telit 0x10c7 composition in the right place Greg Kroah-Hartman
2025-12-10 7:30 ` [PATCH 6.18 14/29] USB: serial: ftdi_sio: match on interface number for jtag Greg Kroah-Hartman
2025-12-10 7:30 ` [PATCH 6.18 15/29] serial: add support of CPCI cards Greg Kroah-Hartman
2025-12-10 7:30 ` [PATCH 6.18 16/29] dt-bindings: serial: rsci: Drop "uart-has-rtscts: false" Greg Kroah-Hartman
2025-12-10 7:30 ` [PATCH 6.18 17/29] serial: sh-sci: Fix deadlock during RSCI FIFO overrun error Greg Kroah-Hartman
2025-12-10 7:30 ` [PATCH 6.18 18/29] USB: serial: belkin_sa: fix TIOCMBIS and TIOCMBIC Greg Kroah-Hartman
2025-12-10 7:30 ` [PATCH 6.18 19/29] USB: serial: kobil_sct: " Greg Kroah-Hartman
2025-12-10 7:30 ` [PATCH 6.18 20/29] Documentation/rtla: rename common_xxx.rst files to common_xxx.txt Greg Kroah-Hartman
2025-12-10 7:30 ` [PATCH 6.18 21/29] wifi: rtl8xxxu: Add USB ID 2001:3328 for D-Link AN3U rev. A1 Greg Kroah-Hartman
2025-12-10 7:30 ` [PATCH 6.18 22/29] wifi: rtw88: Add USB ID 2001:3329 for D-Link AC13U " Greg Kroah-Hartman
2025-12-10 7:30 ` [PATCH 6.18 23/29] iio: adc: ad4080: fix chip identification Greg Kroah-Hartman
2025-12-10 7:30 ` [PATCH 6.18 24/29] comedi: c6xdigio: Fix invalid PNP driver unregistration Greg Kroah-Hartman
2025-12-10 7:30 ` [PATCH 6.18 25/29] comedi: multiq3: sanitize config options in multiq3_attach() Greg Kroah-Hartman
2025-12-10 7:30 ` [PATCH 6.18 26/29] comedi: check devices attached status in compat ioctls Greg Kroah-Hartman
2025-12-10 7:30 ` Greg Kroah-Hartman [this message]
2025-12-10 7:30 ` [PATCH 6.18 28/29] staging: rtl8723bs: fix stack buffer overflow in OnAssocReq IE parsing Greg Kroah-Hartman
2025-12-10 7:30 ` [PATCH 6.18 29/29] staging: rtl8723bs: fix out-of-bounds read in OnBeacon ESR " Greg Kroah-Hartman
2025-12-10 10:15 ` [PATCH 6.18 00/29] 6.18.1-rc1 review Brett A C Sheffield
2025-12-10 12:17 ` Takeshi Ogasawara
2025-12-10 13:18 ` Jeffrin Thalakkottoor
2025-12-10 14:01 ` Achill Gilgenast
2025-12-10 14:32 ` Peter Schneider
2025-12-10 19:42 ` Florian Fainelli
2025-12-10 21:02 ` Dileep malepu
2025-12-10 21:49 ` Ronald Warsow
2025-12-10 20:43 ` Hardik Garg
2025-12-10 21:54 ` Ron Economos
2025-12-11 6:44 ` Naresh Kamboju
2025-12-11 9:02 ` Mark Brown
2025-12-12 9:25 ` Jon Hunter
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20251210072945.102463004@linuxfoundation.org \
--to=gregkh@linuxfoundation.org \
--cc=knavaneeth786@gmail.com \
--cc=patches@lists.linux.dev \
--cc=stable@kernel.org \
--cc=stable@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).