From: Alexandru Hossu <hossu.alexandru@gmail.com>
To: gregkh@linuxfoundation.org
Cc: linux-staging@lists.linux.dev, linux-kernel@vger.kernel.org,
error27@gmail.com, luka.gejak@linux.dev, stable@vger.kernel.org
Subject: [PATCH v4 0/3] staging: rtl8723bs: fix OOB reads and heap overflow in IE parsing
Date: Tue, 5 May 2026 19:38:15 +0200 [thread overview]
Message-ID: <20260505173818.3674164-1-hossu.alexandru@gmail.com> (raw)
In-Reply-To: <2026050436-italics-clumsy-e83c@gregkh>
v4, addressing the sashiko review comments on v3.
Regarding hardware: I do not have rtl8723bs hardware available. The
patches in this series are derived from static analysis of the code,
cross-checking against the 802.11 spec, and reviewing the patterns
already in use elsewhere in the same driver.
What changed in v4:
Patch 1 (update_beacon_info, bwmode_update_check):
- Added unsigned underflow guard: if pkt_len < _BEACON_IE_OFFSET_ +
WLAN_HDR_A3_LEN the subtraction that computes len would wrap to a
very large value. Return early.
- Swapped the WLAN_EID_VENDOR_SPECIFIC condition so pIE->length ==
WLAN_WMM_LEN is checked before memcmp(pIE->data, WMM_PARA_OUI, 6)
to prevent the 6-byte read on a short IE.
- Fixed bwmode_update_check(): changed pIE->length >
sizeof(struct HT_info_element) to != to also reject IEs shorter
than the struct, preventing the read of infos[0] on a zero-length IE.
Patch 2 (issue_assocreq, join_cmd_hdl):
- Added pIE->length >= 4 guard before the 4-byte OUI memcmps in both
WLAN_EID_VENDOR_SPECIFIC cases.
- In issue_assocreq() WLAN_EID_HT_CAPABILITY: added minimum length
check and replaced pIE->length with sizeof(struct HT_caps_element)
in rtw_set_ie() to prevent reads past the HT_caps struct.
- In join_cmd_hdl() WLAN_EID_HT_OPERATION: added minimum length check
before casting pIE->data to struct HT_info_element * and reading
infos[0].
Patch 3 (rtw_get_wps_ie, rtw_cfg80211_set_wpa_ie):
- Added two bounds checks in rtw_get_wps_ie(): break if fewer than
two header bytes remain; break if the declared payload extends past
in_len. Added in_ie[cnt + 1] >= 4 guard before the 4-byte WPS OUI
memcmp.
Alexandru Hossu (3):
staging: rtl8723bs: fix OOB reads in update_beacon_info() and
bwmode_update_check()
staging: rtl8723bs: fix OOB reads in IE loops in issue_assocreq() and
join_cmd_hdl()
staging: rtl8723bs: fix OOB reads in rtw_get_wps_ie() and
rtw_cfg80211_set_wpa_ie()
.../staging/rtl8723bs/core/rtw_ieee80211.c | 9 +++++-
drivers/staging/rtl8723bs/core/rtw_mlme_ext.c | 30 ++++++++++++++-----
.../staging/rtl8723bs/core/rtw_wlan_util.c | 14 +++++++--
.../staging/rtl8723bs/os_dep/ioctl_cfg80211.c | 8 +++++
4 files changed, 50 insertions(+), 11 deletions(-)
--
2.53.0
next prev parent reply other threads:[~2026-05-05 17:38 UTC|newest]
Thread overview: 11+ messages / expand[flat|nested] mbox.gz Atom feed top
2026-04-27 8:16 [PATCH v3 0/3] staging: rtl8723bs: fix OOB reads and heap overflow in IE parsing Alexandru Hossu
2026-04-27 8:16 ` [PATCH v3 1/3] staging: rtl8723bs: fix OOB read in update_beacon_info() IE loop Alexandru Hossu
2026-04-27 8:16 ` [PATCH v3 2/3] staging: rtl8723bs: fix OOB reads in IE loops in issue_assocreq() and join_cmd_hdl() Alexandru Hossu
2026-04-27 8:16 ` [PATCH v3 3/3] staging: rtl8723bs: fix heap buffer overflow in rtw_cfg80211_set_wpa_ie() Alexandru Hossu
2026-05-04 14:11 ` [PATCH v3 0/3] staging: rtl8723bs: fix OOB reads and heap overflow in IE parsing Greg KH
2026-05-05 17:38 ` Alexandru Hossu [this message]
2026-05-05 17:38 ` [PATCH v4 1/3] staging: rtl8723bs: fix OOB reads in update_beacon_info() and bwmode_update_check() Alexandru Hossu
2026-05-05 17:38 ` [PATCH v4 2/3] staging: rtl8723bs: fix OOB reads in IE loops in issue_assocreq() and join_cmd_hdl() Alexandru Hossu
2026-05-05 17:38 ` [PATCH v4 3/3] staging: rtl8723bs: fix OOB reads in rtw_get_wps_ie() and rtw_cfg80211_set_wpa_ie() Alexandru Hossu
2026-05-11 12:42 ` [PATCH v4 0/3] staging: rtl8723bs: fix OOB reads and heap overflow in IE parsing Greg KH
2026-05-05 17:25 ` [PATCH v3 " Alexandru Hossu
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20260505173818.3674164-1-hossu.alexandru@gmail.com \
--to=hossu.alexandru@gmail.com \
--cc=error27@gmail.com \
--cc=gregkh@linuxfoundation.org \
--cc=linux-kernel@vger.kernel.org \
--cc=linux-staging@lists.linux.dev \
--cc=luka.gejak@linux.dev \
--cc=stable@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox