From: Greg KH <gregkh@linuxfoundation.org>
To: Luka Gejak <lukagejak5@gmail.com>
Cc: straube.linux@gmail.com, dan.carpenter@linaro.org,
linux-staging@lists.linux.dev, linux-kernel@vger.kernel.org
Subject: Re: [PATCH v2 4/5] staging: rtl8723bs: fix out-of-bounds check in rtw_restruct_wmm_ie
Date: Thu, 29 Jan 2026 15:13:18 +0100 [thread overview]
Message-ID: <2026012925-emblaze-barrel-46fc@gregkh> (raw)
In-Reply-To: <20260129132352.14615-5-lukagejak5@gmail.com>
On Thu, Jan 29, 2026 at 02:23:51PM +0100, Luka Gejak wrote:
> Add a length check before accessing the OUI in WMM
> IE to prevent potential out-of-bounds reads.
Is this really a bugfix? if so, it needs to go first, and be tagged for
stable trees.
> Use memcmp() for better readability.
>
> Fixes: 554c0a3abf21 ("staging: Add rtl8723bs sdio wifi driver")
>
> Signed-off-by: Luka Gejak <lukagejak5@gmail.com>
> ---
> drivers/staging/rtl8723bs/core/rtw_mlme.c | 3 ++-
> 1 file changed, 2 insertions(+), 1 deletion(-)
>
> diff --git a/drivers/staging/rtl8723bs/core/rtw_mlme.c b/drivers/staging/rtl8723bs/core/rtw_mlme.c
> index c4f58106b3bd..18a70879f78f 100644
> --- a/drivers/staging/rtl8723bs/core/rtw_mlme.c
> +++ b/drivers/staging/rtl8723bs/core/rtw_mlme.c
> @@ -2000,7 +2000,8 @@ int rtw_restruct_wmm_ie(struct adapter *adapter, u8 *in_ie, u8 *out_ie, uint in_
> while (i < in_len) {
> ielength = initial_out_len;
>
> - if (in_ie[i] == 0xDD && in_ie[i+2] == 0x00 && in_ie[i+3] == 0x50 && in_ie[i+4] == 0xF2 && in_ie[i+5] == 0x02 && i+5 < in_len) { /* WMM element ID and OUI */
> + if (i + 5 < in_len && in_ie[i] == 0xDD &&
> + !memcmp(&in_ie[i + 2], "\x00\x50\xf2\x02", 4)) {
Very odd indentation :(
Also, why invert the i+5 check? And the memcmp check is now messier
than the original.
And is that where you are saying this is a security fix? If so, it's
just a read, not a write, so what is the security issue?
thanks,
greg k-h
next prev parent reply other threads:[~2026-01-29 14:13 UTC|newest]
Thread overview: 9+ messages / expand[flat|nested] mbox.gz Atom feed top
2026-01-29 13:23 [PATCH v2 0/5] staging: rtl8723bs: Cleanups and security fix Luka Gejak
2026-01-29 13:23 ` [PATCH v2 1/5] staging: rtl8723bs: rename u1bTmp to val Luka Gejak
2026-01-29 13:23 ` [PATCH v2 2/5] staging: rtl8723bs: fix spacing around operators Luka Gejak
2026-01-29 13:23 ` [PATCH v2 3/5] staging: rtl8723bs: modernize hex output in rtw_report_sec_ie Luka Gejak
2026-01-29 13:23 ` [PATCH v2 4/5] staging: rtl8723bs: fix out-of-bounds check in rtw_restruct_wmm_ie Luka Gejak
2026-01-29 14:13 ` Greg KH [this message]
[not found] ` <CADRnA91+NQ=DLRSj+9SoTMBAEKDmzFiX98XR1+YCM2tgBiyDTQ@mail.gmail.com>
2026-01-30 5:26 ` Greg KH
2026-01-30 5:56 ` Luka Gejak
2026-01-29 13:23 ` [PATCH v2 5/5] staging: rtl8723bs: remove dead debugging code in rtw_mlme_ext.c Luka Gejak
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=2026012925-emblaze-barrel-46fc@gregkh \
--to=gregkh@linuxfoundation.org \
--cc=dan.carpenter@linaro.org \
--cc=linux-kernel@vger.kernel.org \
--cc=linux-staging@lists.linux.dev \
--cc=lukagejak5@gmail.com \
--cc=straube.linux@gmail.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox