From: Greg KH <gregkh@linuxfoundation.org>
To: Luka Gejak <luka.gejak@linux.dev>
Cc: Alexandru Hossu <hossu.alexandru@gmail.com>,
linux-staging@lists.linux.dev, linux-kernel@vger.kernel.org,
dan.carpenter@linaro.org
Subject: Re: [PATCH 1/2] staging: rtl8723bs: fix OOB write in HT_caps_handler()
Date: Sun, 26 Apr 2026 21:26:36 +0200 [thread overview]
Message-ID: <2026042630-tightness-runner-2121@gregkh> (raw)
In-Reply-To: <DHYWSUFIWZIM.3C0KFC5EYNHB5@linux.dev>
On Tue, Apr 21, 2026 at 04:40:17PM +0200, Luka Gejak wrote:
> On Mon Apr 20, 2026 at 4:08 PM CEST, Alexandru Hossu wrote:
> > HT_caps_handler() iterates pIE->length bytes and writes into
> > HT_caps.u.HT_cap[], which is a fixed 26-byte array (sizeof struct
> > HT_caps_element). Because pIE->length is a raw u8 from an over-the-air
> > 802.11 AssocResponse frame and is never validated, a malicious AP can set
> > it up to 255, causing up to 229 bytes of out-of-bounds writes into
> > adjacent fields of struct mlme_ext_info.
> >
> > The parallel function HT_info_handler() already carries the correct guard:
> >
> > if (pIE->length > sizeof(struct HT_info_element))
> > return;
> >
> > Apply the same pattern to HT_caps_handler().
> >
> > Signed-off-by: Alexandru Hossu <hossu.alexandru@gmail.com>
> > ---
> > drivers/staging/rtl8723bs/core/rtw_wlan_util.c | 3 +++
> > 1 file changed, 3 insertions(+)
> >
> > diff --git a/drivers/staging/rtl8723bs/core/rtw_wlan_util.c b/drivers/staging/rtl8723bs/core/rtw_wlan_util.c
> > index 6a7c09db4..b75e7f4f8 100644
> > --- a/drivers/staging/rtl8723bs/core/rtw_wlan_util.c
> > +++ b/drivers/staging/rtl8723bs/core/rtw_wlan_util.c
> > @@ -934,6 +934,9 @@ void HT_caps_handler(struct adapter *padapter, struct ndis_80211_var_ie *pIE)
> > if (phtpriv->ht_option == false)
> > return;
> >
> > + if (pIE->length > sizeof(struct HT_caps_element))
> > + return;
> > +
> > pmlmeinfo->HT_caps_enable = 1;
> >
> > for (i = 0; i < (pIE->length); i++) {
>
> Hi Alexandru,
> this fix has been made already by Greg HK therefore this patch is
> unnecessary. You can see his patch at [1].
> Best regards,
> Luka Gejak
>
> [1]: https://lore.kernel.org/linux-staging/2026041408-grill-mahogany-d1e3@gregkh/
Yeah, and we both got it wrong, if we do this, this will break things on
some systems according to the ai review bot. So we need to just
truncate the data, not abort.
Alexandru, want to fix this up in your version and send it? If so, I'll
drop mine.
thanks,
greg k-h
next prev parent reply other threads:[~2026-04-27 3:50 UTC|newest]
Thread overview: 8+ messages / expand[flat|nested] mbox.gz Atom feed top
2026-04-20 14:08 [PATCH 1/2] staging: rtl8723bs: fix OOB write in HT_caps_handler() Alexandru Hossu
2026-04-20 14:08 ` [PATCH 2/2] staging: rtl8723bs: fix OOB read in OnAssocRsp() IE loop Alexandru Hossu
2026-04-21 14:43 ` Luka Gejak
2026-04-21 14:40 ` [PATCH 1/2] staging: rtl8723bs: fix OOB write in HT_caps_handler() Luka Gejak
2026-04-21 14:45 ` Luka Gejak
2026-04-26 19:26 ` Greg KH [this message]
-- strict thread matches above, loose matches on Subject: below --
2026-04-20 14:04 Alexandru Hossu
2026-04-20 14:06 ` Alexandru Hossu
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=2026042630-tightness-runner-2121@gregkh \
--to=gregkh@linuxfoundation.org \
--cc=dan.carpenter@linaro.org \
--cc=hossu.alexandru@gmail.com \
--cc=linux-kernel@vger.kernel.org \
--cc=linux-staging@lists.linux.dev \
--cc=luka.gejak@linux.dev \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox