From: Alexandru Hossu <hossu.alexandru@gmail.com>
To: gregkh@linuxfoundation.org
Cc: linux-staging@lists.linux.dev,
Alexandru Hossu <hossu.alexandru@gmail.com>
Subject: [PATCH 0/3] staging: rtl8723bs: fix OOB reads and heap overflow in IE parsing
Date: Fri, 24 Apr 2026 17:19:29 +0200 [thread overview]
Message-ID: <20260424151932.3734611-1-hossu.alexandru@gmail.com> (raw)
This series fixes three related bugs in the rtl8723bs staging driver's
802.11 IE parsing code. All three follow the same root cause: IE parsing
loops and IE handler functions do not validate that an IE's declared length
fits within the actual frame/buffer before operating on it.
Patch 1 and 2 fix OOB reads in three IE parsing loops
(update_beacon_info, issue_assocreq, join_cmd_hdl) that lack the two-guard
pattern already applied to OnAssocRsp() in a previous fix. A malicious AP
sending a beacon or association response with a truncated final IE (e.g.,
only the element_id byte present, no length byte) causes the loop to read
pIE->length one byte past the end of the IE area.
Patch 3 fixes a one-byte heap buffer overflow in rtw_cfg80211_set_wpa_ie().
supplicant_ie is a 256-byte array in struct security_priv. Because
wpa_ielen is taken directly from the IE length field (u8, 0-255), the copy:
memcpy(supplicant_ie, pwpa, wpa_ielen + 2);
can write up to 257 bytes. rtw_parse_wpa_ie()'s own length consistency
check silently passes because it casts the arithmetic to u8:
(u8)(257 - 2) == 255 == wpa_ielen. The overflow is triggered via
NL80211_CMD_CONNECT with a crafted WPA IE of length 255; nl80211's
validate_ie_attr() accepts this as a well-formed (though oversized) IE.
Alexandru Hossu (3):
staging: rtl8723bs: fix OOB read in update_beacon_info() IE loop
staging: rtl8723bs: fix OOB reads in IE loops in issue_assocreq() and
join_cmd_hdl()
staging: rtl8723bs: fix heap buffer overflow in
rtw_cfg80211_set_wpa_ie()
drivers/staging/rtl8723bs/core/rtw_mlme_ext.c | 8 ++++++++
drivers/staging/rtl8723bs/core/rtw_wlan_util.c | 4 ++++
drivers/staging/rtl8723bs/os_dep/ioctl_cfg80211.c | 8 ++++++++
3 files changed, 20 insertions(+)
--
2.53.0
next reply other threads:[~2026-04-24 15:21 UTC|newest]
Thread overview: 7+ messages / expand[flat|nested] mbox.gz Atom feed top
2026-04-24 15:19 Alexandru Hossu [this message]
2026-04-24 15:19 ` [PATCH 1/3] staging: rtl8723bs: fix OOB read in update_beacon_info() IE loop Alexandru Hossu
2026-04-25 11:42 ` Dan Carpenter
2026-04-24 15:19 ` [PATCH 2/3] staging: rtl8723bs: fix OOB reads in IE loops in issue_assocreq() and join_cmd_hdl() Alexandru Hossu
2026-04-24 15:19 ` [PATCH 3/3] staging: rtl8723bs: fix heap buffer overflow in rtw_cfg80211_set_wpa_ie() Alexandru Hossu
2026-04-25 12:10 ` Dan Carpenter
2026-04-24 16:05 ` [PATCH 0/3] staging: rtl8723bs: fix OOB reads and heap overflow in IE parsing Luka Gejak
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20260424151932.3734611-1-hossu.alexandru@gmail.com \
--to=hossu.alexandru@gmail.com \
--cc=gregkh@linuxfoundation.org \
--cc=linux-staging@lists.linux.dev \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox