* [PATCH v6 1/7] staging: rtl8723bs: fix OOB read in update_beacon_info() IE loop
2026-05-21 13:03 [PATCH v6 0/7] staging: rtl8723bs: fix OOB reads and writes in IE/attribute parsing Alexandru Hossu
@ 2026-05-21 13:03 ` Alexandru Hossu
2026-05-21 13:03 ` [PATCH v6 2/7] staging: rtl8723bs: fix OOB reads in IE loops in issue_assocreq() and join_cmd_hdl() Alexandru Hossu
` (7 subsequent siblings)
8 siblings, 0 replies; 18+ messages in thread
From: Alexandru Hossu @ 2026-05-21 13:03 UTC (permalink / raw)
To: gregkh; +Cc: linux-staging, stable, hossu.alexandru, Luka Gejak
The IE parsing loop in update_beacon_info() advances by
(pIE->length + 2) each iteration but only guards on i < len.
When a malicious AP sends a Beacon whose last IE has only one byte
remaining in the frame (the element_id byte lands at len-1), the loop
reads pIE->length from one byte past the allocated receive buffer.
Additionally, even when the header bytes are in bounds, pIE->length
itself can extend the data window beyond len, passing a truncated IE
to the handler functions.
Add two guards at the top of the loop body:
1. Break if fewer than sizeof(*pIE) bytes remain (can't read header).
2. Break if the IE's declared data extends past len.
Also replace i += (pIE->length + 2) with i += sizeof(*pIE) + pIE->length
for consistency with the sizeof(*pIE) guards added above.
Fixes: 554c0a3abf21 ("staging: Add rtl8723bs sdio wifi driver")
Cc: stable@vger.kernel.org
Reviewed-by: Luka Gejak <luka.gejak@linux.dev>
Signed-off-by: Alexandru Hossu <hossu.alexandru@gmail.com>
---
drivers/staging/rtl8723bs/core/rtw_wlan_util.c | 6 +++++-
1 file changed, 5 insertions(+), 1 deletion(-)
diff --git a/drivers/staging/rtl8723bs/core/rtw_wlan_util.c b/drivers/staging/rtl8723bs/core/rtw_wlan_util.c
index 6a7c09db4cd9..e0d73c267786 100644
--- a/drivers/staging/rtl8723bs/core/rtw_wlan_util.c
+++ b/drivers/staging/rtl8723bs/core/rtw_wlan_util.c
@@ -1289,7 +1289,11 @@ void update_beacon_info(struct adapter *padapter, u8 *pframe, uint pkt_len, stru
len = pkt_len - (_BEACON_IE_OFFSET_ + WLAN_HDR_A3_LEN);
for (i = 0; i < len;) {
+ if (i + sizeof(*pIE) > len)
+ break;
pIE = (struct ndis_80211_var_ie *)(pframe + (_BEACON_IE_OFFSET_ + WLAN_HDR_A3_LEN) + i);
+ if (i + sizeof(*pIE) + pIE->length > len)
+ break;
switch (pIE->element_id) {
case WLAN_EID_VENDOR_SPECIFIC:
@@ -1314,7 +1318,7 @@ void update_beacon_info(struct adapter *padapter, u8 *pframe, uint pkt_len, stru
break;
}
- i += (pIE->length + 2);
+ i += sizeof(*pIE) + pIE->length;
}
}
--
2.54.0
^ permalink raw reply related [flat|nested] 18+ messages in thread* [PATCH v6 2/7] staging: rtl8723bs: fix OOB reads in IE loops in issue_assocreq() and join_cmd_hdl()
2026-05-21 13:03 [PATCH v6 0/7] staging: rtl8723bs: fix OOB reads and writes in IE/attribute parsing Alexandru Hossu
2026-05-21 13:03 ` [PATCH v6 1/7] staging: rtl8723bs: fix OOB read in update_beacon_info() IE loop Alexandru Hossu
@ 2026-05-21 13:03 ` Alexandru Hossu
2026-05-21 13:03 ` [PATCH v6 3/7] staging: rtl8723bs: fix heap buffer overflow in rtw_cfg80211_set_wpa_ie() Alexandru Hossu
` (6 subsequent siblings)
8 siblings, 0 replies; 18+ messages in thread
From: Alexandru Hossu @ 2026-05-21 13:03 UTC (permalink / raw)
To: gregkh; +Cc: linux-staging, stable, hossu.alexandru, Luka Gejak
Two IE parsing loops are missing the header bounds checks before they
dereference pIE->length:
- issue_assocreq() walks pmlmeinfo->network.ies to build the
association request. If the stored IE data ends with only an
element_id byte and no length byte, pIE->length is read one byte
past the end of the buffer.
- join_cmd_hdl() walks pnetwork->ies during station join and has
the same problem under the same conditions.
Both buffers are filled from AP beacon and probe-response frames, so a
malicious AP that sends a truncated final IE can trigger the issue.
Apply the two-guard pattern established in update_beacon_info():
1. Break if fewer than sizeof(*pIE) bytes remain.
2. Break if the IE's declared data extends past the buffer end.
Fixes: 554c0a3abf21 ("staging: Add rtl8723bs sdio wifi driver")
Cc: stable@vger.kernel.org
Reviewed-by: Luka Gejak <luka.gejak@linux.dev>
Signed-off-by: Alexandru Hossu <hossu.alexandru@gmail.com>
---
drivers/staging/rtl8723bs/core/rtw_mlme_ext.c | 8 ++++++++
1 file changed, 8 insertions(+)
diff --git a/drivers/staging/rtl8723bs/core/rtw_mlme_ext.c b/drivers/staging/rtl8723bs/core/rtw_mlme_ext.c
index 884cd39ec756..c646dc2a1741 100644
--- a/drivers/staging/rtl8723bs/core/rtw_mlme_ext.c
+++ b/drivers/staging/rtl8723bs/core/rtw_mlme_ext.c
@@ -2931,7 +2931,11 @@ void issue_assocreq(struct adapter *padapter)
/* vendor specific IE, such as WPA, WMM, WPS */
for (i = sizeof(struct ndis_802_11_fix_ie); i < pmlmeinfo->network.ie_length;) {
+ if (i + sizeof(*pIE) > pmlmeinfo->network.ie_length)
+ break;
pIE = (struct ndis_80211_var_ie *)(pmlmeinfo->network.ies + i);
+ if (i + sizeof(*pIE) + pIE->length > pmlmeinfo->network.ie_length)
+ break;
switch (pIE->element_id) {
case WLAN_EID_VENDOR_SPECIFIC:
@@ -5324,7 +5328,11 @@ u8 join_cmd_hdl(struct adapter *padapter, u8 *pbuf)
/* sizeof(struct ndis_802_11_fix_ie) */
for (i = _FIXED_IE_LENGTH_; i < pnetwork->ie_length;) {
+ if (i + sizeof(*pIE) > pnetwork->ie_length)
+ break;
pIE = (struct ndis_80211_var_ie *)(pnetwork->ies + i);
+ if (i + sizeof(*pIE) + pIE->length > pnetwork->ie_length)
+ break;
switch (pIE->element_id) {
case WLAN_EID_VENDOR_SPECIFIC:/* Get WMM IE. */
--
2.54.0
^ permalink raw reply related [flat|nested] 18+ messages in thread* [PATCH v6 3/7] staging: rtl8723bs: fix heap buffer overflow in rtw_cfg80211_set_wpa_ie()
2026-05-21 13:03 [PATCH v6 0/7] staging: rtl8723bs: fix OOB reads and writes in IE/attribute parsing Alexandru Hossu
2026-05-21 13:03 ` [PATCH v6 1/7] staging: rtl8723bs: fix OOB read in update_beacon_info() IE loop Alexandru Hossu
2026-05-21 13:03 ` [PATCH v6 2/7] staging: rtl8723bs: fix OOB reads in IE loops in issue_assocreq() and join_cmd_hdl() Alexandru Hossu
@ 2026-05-21 13:03 ` Alexandru Hossu
2026-05-21 13:03 ` [PATCH v6 4/7] staging: rtl8723bs: fix OOB write in HT_caps_handler() Alexandru Hossu
` (5 subsequent siblings)
8 siblings, 0 replies; 18+ messages in thread
From: Alexandru Hossu @ 2026-05-21 13:03 UTC (permalink / raw)
To: gregkh; +Cc: linux-staging, stable, hossu.alexandru, Luka Gejak
supplicant_ie is a 256-byte array in struct security_priv. The WPA and
WPA2 IE copy paths use:
memcpy(padapter->securitypriv.supplicant_ie, &pwpa[0], wpa_ielen + 2);
where wpa_ielen is the raw IE length field (u8, 0-255). When a local user
supplies a connect request via nl80211 with a crafted WPA IE of length 255,
wpa_ielen + 2 equals 257, overflowing the 256-byte buffer by one byte into
the adjacent last_mic_err_time field.
rtw_parse_wpa_ie() does not prevent this: its length consistency check
compares *(wpa_ie+1) against (u8)(wpa_ie_len-2), which is (u8)(255) == 255
when wpa_ie_len = 257, so the check passes silently.
Add explicit bounds checks for both the WPA and WPA2 paths before the
memcpy, rejecting any IE whose total size (wpa_ielen + 2) exceeds the
supplicant_ie buffer.
Fixes: 554c0a3abf21 ("staging: Add rtl8723bs sdio wifi driver")
Cc: stable@vger.kernel.org
Reviewed-by: Luka Gejak <luka.gejak@linux.dev>
Signed-off-by: Alexandru Hossu <hossu.alexandru@gmail.com>
---
drivers/staging/rtl8723bs/os_dep/ioctl_cfg80211.c | 8 ++++++++
1 file changed, 8 insertions(+)
diff --git a/drivers/staging/rtl8723bs/os_dep/ioctl_cfg80211.c b/drivers/staging/rtl8723bs/os_dep/ioctl_cfg80211.c
index 098456e97c96..3d930d9af184 100644
--- a/drivers/staging/rtl8723bs/os_dep/ioctl_cfg80211.c
+++ b/drivers/staging/rtl8723bs/os_dep/ioctl_cfg80211.c
@@ -1443,6 +1443,10 @@ static int rtw_cfg80211_set_wpa_ie(struct adapter *padapter, u8 *pie, size_t iel
pwpa = rtw_get_wpa_ie(buf, &wpa_ielen, ielen);
if (pwpa && wpa_ielen > 0) {
+ if (wpa_ielen + 2 > sizeof(padapter->securitypriv.supplicant_ie)) {
+ ret = -EINVAL;
+ goto exit;
+ }
if (rtw_parse_wpa_ie(pwpa, wpa_ielen + 2, &group_cipher, &pairwise_cipher, NULL) == _SUCCESS) {
padapter->securitypriv.dot11AuthAlgrthm = dot11AuthAlgrthm_8021X;
padapter->securitypriv.ndisauthtype = Ndis802_11AuthModeWPAPSK;
@@ -1452,6 +1456,10 @@ static int rtw_cfg80211_set_wpa_ie(struct adapter *padapter, u8 *pie, size_t iel
pwpa2 = rtw_get_wpa2_ie(buf, &wpa2_ielen, ielen);
if (pwpa2 && wpa2_ielen > 0) {
+ if (wpa2_ielen + 2 > sizeof(padapter->securitypriv.supplicant_ie)) {
+ ret = -EINVAL;
+ goto exit;
+ }
if (rtw_parse_wpa2_ie(pwpa2, wpa2_ielen + 2, &group_cipher, &pairwise_cipher, NULL) == _SUCCESS) {
padapter->securitypriv.dot11AuthAlgrthm = dot11AuthAlgrthm_8021X;
padapter->securitypriv.ndisauthtype = Ndis802_11AuthModeWPA2PSK;
--
2.54.0
^ permalink raw reply related [flat|nested] 18+ messages in thread* [PATCH v6 4/7] staging: rtl8723bs: fix OOB write in HT_caps_handler()
2026-05-21 13:03 [PATCH v6 0/7] staging: rtl8723bs: fix OOB reads and writes in IE/attribute parsing Alexandru Hossu
` (2 preceding siblings ...)
2026-05-21 13:03 ` [PATCH v6 3/7] staging: rtl8723bs: fix heap buffer overflow in rtw_cfg80211_set_wpa_ie() Alexandru Hossu
@ 2026-05-21 13:03 ` Alexandru Hossu
2026-05-21 13:03 ` [PATCH v6 5/7] staging: rtl8723bs: fix OOB read in OnAssocRsp() IE loop Alexandru Hossu
` (4 subsequent siblings)
8 siblings, 0 replies; 18+ messages in thread
From: Alexandru Hossu @ 2026-05-21 13:03 UTC (permalink / raw)
To: gregkh; +Cc: linux-staging, stable, hossu.alexandru
HT_caps_handler() iterates pIE->length bytes and writes into
HT_caps.u.HT_cap[], which is a fixed 26-byte array (sizeof struct
HT_caps_element). Because pIE->length is a raw u8 from an over-the-air
802.11 AssocResponse frame and is never validated, a malicious AP can
set it up to 255, causing up to 229 bytes of out-of-bounds writes into
adjacent fields of struct mlme_ext_info.
Truncate the iteration count to the size of HT_caps.u.HT_cap using
umin() so that data from a longer-than-expected IE is silently ignored
rather than written out of bounds, preserving interoperability with APs
that pad the element. An early return on oversized IEs was considered
but rejected: it would bypass the pmlmeinfo->HT_caps_enable = 1
assignment that precedes the loop, silently disabling HT mode for APs
that append extra bytes to the HT Capabilities IE.
Fixes: 554c0a3abf21 ("staging: Add rtl8723bs sdio wifi driver")
Cc: stable@vger.kernel.org
Signed-off-by: Alexandru Hossu <hossu.alexandru@gmail.com>
---
drivers/staging/rtl8723bs/core/rtw_wlan_util.c | 3 ++-
1 file changed, 2 insertions(+), 1 deletion(-)
diff --git a/drivers/staging/rtl8723bs/core/rtw_wlan_util.c b/drivers/staging/rtl8723bs/core/rtw_wlan_util.c
index e0d73c267786..dd34f229df12 100644
--- a/drivers/staging/rtl8723bs/core/rtw_wlan_util.c
+++ b/drivers/staging/rtl8723bs/core/rtw_wlan_util.c
@@ -936,7 +936,8 @@ void HT_caps_handler(struct adapter *padapter, struct ndis_80211_var_ie *pIE)
pmlmeinfo->HT_caps_enable = 1;
- for (i = 0; i < (pIE->length); i++) {
+ for (i = 0; i < umin(pIE->length,
+ sizeof(pmlmeinfo->HT_caps.u.HT_cap)); i++) {
if (i != 2) {
/* Commented by Albert 2010/07/12 */
/* Got the endian issue here. */
--
2.54.0
^ permalink raw reply related [flat|nested] 18+ messages in thread* [PATCH v6 5/7] staging: rtl8723bs: fix OOB read in OnAssocRsp() IE loop
2026-05-21 13:03 [PATCH v6 0/7] staging: rtl8723bs: fix OOB reads and writes in IE/attribute parsing Alexandru Hossu
` (3 preceding siblings ...)
2026-05-21 13:03 ` [PATCH v6 4/7] staging: rtl8723bs: fix OOB write in HT_caps_handler() Alexandru Hossu
@ 2026-05-21 13:03 ` Alexandru Hossu
2026-05-21 13:03 ` [PATCH v6 6/7] staging: rtl8723bs: fix OOB reads in is_ap_in_tkip() " Alexandru Hossu
` (3 subsequent siblings)
8 siblings, 0 replies; 18+ messages in thread
From: Alexandru Hossu @ 2026-05-21 13:03 UTC (permalink / raw)
To: gregkh; +Cc: linux-staging, stable, hossu.alexandru
The IE parsing loop in OnAssocRsp() advances by (pIE->length + 2) each
iteration but only guards on i < pkt_len. When a malicious AP sends an
AssocResponse whose last IE has only one byte remaining in the frame
(the element_id byte lands at pkt_len-1), the loop reads pIE->length
from pframe[pkt_len], which is one byte past the allocated receive buffer.
Additionally, even when the header bytes are in bounds, pIE->length
itself can extend the data window beyond pkt_len, silently passing a
truncated IE to the handler functions.
Add two guards at the top of the loop body:
1. Break if fewer than sizeof(*pIE) bytes remain (can't read header).
2. Break if the IE's declared data extends past pkt_len.
Fixes: 554c0a3abf21 ("staging: Add rtl8723bs sdio wifi driver")
Cc: stable@vger.kernel.org
Signed-off-by: Alexandru Hossu <hossu.alexandru@gmail.com>
---
drivers/staging/rtl8723bs/core/rtw_mlme_ext.c | 4 ++++
1 file changed, 4 insertions(+)
diff --git a/drivers/staging/rtl8723bs/core/rtw_mlme_ext.c b/drivers/staging/rtl8723bs/core/rtw_mlme_ext.c
index c646dc2a1741..68ce422305ed 100644
--- a/drivers/staging/rtl8723bs/core/rtw_mlme_ext.c
+++ b/drivers/staging/rtl8723bs/core/rtw_mlme_ext.c
@@ -1406,7 +1406,11 @@ unsigned int OnAssocRsp(struct adapter *padapter, union recv_frame *precv_frame)
/* to handle HT, WMM, rate adaptive, update MAC reg */
/* for not to handle the synchronous IO in the tasklet */
for (i = (6 + WLAN_HDR_A3_LEN); i < pkt_len;) {
+ if (i + sizeof(*pIE) > pkt_len)
+ break;
pIE = (struct ndis_80211_var_ie *)(pframe + i);
+ if (i + sizeof(*pIE) + pIE->length > pkt_len)
+ break;
switch (pIE->element_id) {
case WLAN_EID_VENDOR_SPECIFIC:
--
2.54.0
^ permalink raw reply related [flat|nested] 18+ messages in thread* [PATCH v6 6/7] staging: rtl8723bs: fix OOB reads in is_ap_in_tkip() IE loop
2026-05-21 13:03 [PATCH v6 0/7] staging: rtl8723bs: fix OOB reads and writes in IE/attribute parsing Alexandru Hossu
` (4 preceding siblings ...)
2026-05-21 13:03 ` [PATCH v6 5/7] staging: rtl8723bs: fix OOB read in OnAssocRsp() IE loop Alexandru Hossu
@ 2026-05-21 13:03 ` Alexandru Hossu
2026-05-21 13:03 ` [PATCH v6 7/7] staging: rtl8723bs: fix OOB reads in rtw_get_sec_ie(), rtw_get_wapi_ie(), and rtw_get_wps_attr() Alexandru Hossu
` (2 subsequent siblings)
8 siblings, 0 replies; 18+ messages in thread
From: Alexandru Hossu @ 2026-05-21 13:03 UTC (permalink / raw)
To: gregkh; +Cc: linux-staging, stable, hossu.alexandru
The loop in is_ap_in_tkip() iterates over IEs without verifying that
enough bytes remain before dereferencing the IE header or its payload:
- pIE->element_id and pIE->length are read without checking that
i + sizeof(*pIE) <= ie_length, so a truncated IE at the end of the
buffer causes an OOB read.
- For WLAN_EID_VENDOR_SPECIFIC the code compares pIE->data + 12,
which requires pIE->length >= 16. For WLAN_EID_RSN it compares
pIE->data + 8, requiring pIE->length >= 12. Neither requirement
is checked.
Add the missing IE header and payload bounds checks and guard each
data access with an explicit pIE->length minimum, matching the
pattern established in update_beacon_info().
Fixes: 554c0a3abf21 ("staging: Add rtl8723bs sdio wifi driver")
Cc: stable@vger.kernel.org
Signed-off-by: Alexandru Hossu <hossu.alexandru@gmail.com>
---
drivers/staging/rtl8723bs/core/rtw_wlan_util.c | 14 +++++++++++---
1 file changed, 11 insertions(+), 3 deletions(-)
diff --git a/drivers/staging/rtl8723bs/core/rtw_wlan_util.c b/drivers/staging/rtl8723bs/core/rtw_wlan_util.c
index dd34f229df12..94bbe7ac13ac 100644
--- a/drivers/staging/rtl8723bs/core/rtw_wlan_util.c
+++ b/drivers/staging/rtl8723bs/core/rtw_wlan_util.c
@@ -1335,15 +1335,23 @@ unsigned int is_ap_in_tkip(struct adapter *padapter)
for (i = sizeof(struct ndis_802_11_fix_ie); i < pmlmeinfo->network.ie_length;) {
pIE = (struct ndis_80211_var_ie *)(pmlmeinfo->network.ies + i);
+ if (i + sizeof(*pIE) > pmlmeinfo->network.ie_length)
+ break;
+ if (i + sizeof(*pIE) + pIE->length > pmlmeinfo->network.ie_length)
+ break;
+
switch (pIE->element_id) {
case WLAN_EID_VENDOR_SPECIFIC:
- if ((!memcmp(pIE->data, RTW_WPA_OUI, 4)) && (!memcmp((pIE->data + 12), WPA_TKIP_CIPHER, 4)))
+ if (pIE->length >= 16 &&
+ !memcmp(pIE->data, RTW_WPA_OUI, 4) &&
+ !memcmp((pIE->data + 12), WPA_TKIP_CIPHER, 4))
return true;
break;
case WLAN_EID_RSN:
- if (!memcmp((pIE->data + 8), RSN_TKIP_CIPHER, 4))
+ if (pIE->length >= 12 &&
+ !memcmp((pIE->data + 8), RSN_TKIP_CIPHER, 4))
return true;
break;
@@ -1351,7 +1359,7 @@ unsigned int is_ap_in_tkip(struct adapter *padapter)
break;
}
- i += (pIE->length + 2);
+ i += sizeof(*pIE) + pIE->length;
}
return false;
--
2.54.0
^ permalink raw reply related [flat|nested] 18+ messages in thread* [PATCH v6 7/7] staging: rtl8723bs: fix OOB reads in rtw_get_sec_ie(), rtw_get_wapi_ie(), and rtw_get_wps_attr()
2026-05-21 13:03 [PATCH v6 0/7] staging: rtl8723bs: fix OOB reads and writes in IE/attribute parsing Alexandru Hossu
` (5 preceding siblings ...)
2026-05-21 13:03 ` [PATCH v6 6/7] staging: rtl8723bs: fix OOB reads in is_ap_in_tkip() " Alexandru Hossu
@ 2026-05-21 13:03 ` Alexandru Hossu
2026-05-21 14:11 ` [PATCH v6 0/7] staging: rtl8723bs: fix OOB reads and writes in IE/attribute parsing Greg KH
2026-05-22 0:45 ` [PATCH v7 " Alexandru Hossu
8 siblings, 0 replies; 18+ messages in thread
From: Alexandru Hossu @ 2026-05-21 13:03 UTC (permalink / raw)
To: gregkh; +Cc: linux-staging, stable, hossu.alexandru
Three IE/attribute parsing functions have missing bounds checks.
rtw_get_sec_ie() and rtw_get_wapi_ie() iterate over a raw IE buffer
without verifying that the header bytes (tag + length) are within the
remaining buffer before reading them. Additionally, rtw_get_sec_ie()
compares the 4-byte WPA OUI at cnt+2 without checking that at least
6 bytes remain, and rtw_get_wapi_ie() compares a 4-byte WAPI OUI at
cnt+6 without checking that at least 10 bytes remain.
rtw_get_wps_attr() reads wps_ie[0] and wps_ie+2 unconditionally at
entry, before verifying that wps_ielen is large enough to contain
the 6-byte WPS IE header (element_id + length + 4-byte OUI). Inside
the attribute loop, get_unaligned_be16() is called on attr_ptr and
attr_ptr+2 without checking that 4 bytes remain in the buffer.
Add a cnt+2 bounds check before each loop body in rtw_get_sec_ie()
and rtw_get_wapi_ie(), guard each multi-byte comparison with a minimum
IE length requirement, add a wps_ielen < 6 early return in
rtw_get_wps_attr(), and add a 4-byte bounds check in its inner loop.
Fixes: 554c0a3abf21 ("staging: Add rtl8723bs sdio wifi driver")
Cc: stable@vger.kernel.org
Signed-off-by: Alexandru Hossu <hossu.alexandru@gmail.com>
---
drivers/staging/rtl8723bs/core/rtw_ieee80211.c | 15 +++++++++++++++
1 file changed, 15 insertions(+)
diff --git a/drivers/staging/rtl8723bs/core/rtw_ieee80211.c b/drivers/staging/rtl8723bs/core/rtw_ieee80211.c
index 72b7f731dd47..3c1f0068cd92 100644
--- a/drivers/staging/rtl8723bs/core/rtw_ieee80211.c
+++ b/drivers/staging/rtl8723bs/core/rtw_ieee80211.c
@@ -583,9 +583,14 @@ int rtw_get_wapi_ie(u8 *in_ie, uint in_len, u8 *wapi_ie, u16 *wapi_len)
cnt = (_TIMESTAMP_ + _BEACON_ITERVAL_ + _CAPABILITY_);
while (cnt < in_len) {
+ if (cnt + 2 > in_len)
+ break;
+ if (cnt + 2 + in_ie[cnt + 1] > in_len)
+ break;
authmode = in_ie[cnt];
if (authmode == WLAN_EID_BSS_AC_ACCESS_DELAY &&
+ in_ie[cnt + 1] >= 8 &&
(!memcmp(&in_ie[cnt + 6], wapi_oui1, 4) ||
!memcmp(&in_ie[cnt + 6], wapi_oui2, 4))) {
if (wapi_ie)
@@ -616,9 +621,14 @@ void rtw_get_sec_ie(u8 *in_ie, uint in_len, u8 *rsn_ie, u16 *rsn_len, u8 *wpa_ie
cnt = (_TIMESTAMP_ + _BEACON_ITERVAL_ + _CAPABILITY_);
while (cnt < in_len) {
+ if (cnt + 2 > in_len)
+ break;
+ if (cnt + 2 + in_ie[cnt + 1] > in_len)
+ break;
authmode = in_ie[cnt];
if ((authmode == WLAN_EID_VENDOR_SPECIFIC) &&
+ in_ie[cnt + 1] >= 4 &&
(!memcmp(&in_ie[cnt + 2], &wpa_oui[0], 4))) {
if (wpa_ie)
memcpy(wpa_ie, &in_ie[cnt], in_ie[cnt + 1] + 2);
@@ -699,6 +709,9 @@ u8 *rtw_get_wps_attr(u8 *wps_ie, uint wps_ielen, u16 target_attr_id, u8 *buf_att
if (len_attr)
*len_attr = 0;
+ if (wps_ielen < 6)
+ return attr_ptr;
+
if ((wps_ie[0] != WLAN_EID_VENDOR_SPECIFIC) ||
(memcmp(wps_ie + 2, wps_oui, 4))) {
return attr_ptr;
@@ -709,6 +722,8 @@ u8 *rtw_get_wps_attr(u8 *wps_ie, uint wps_ielen, u16 target_attr_id, u8 *buf_att
while (attr_ptr - wps_ie < wps_ielen) {
/* 4 = 2(Attribute ID) + 2(Length) */
+ if (attr_ptr + 4 > wps_ie + wps_ielen)
+ break;
u16 attr_id = get_unaligned_be16(attr_ptr);
u16 attr_data_len = get_unaligned_be16(attr_ptr + 2);
u16 attr_len = attr_data_len + 4;
--
2.54.0
^ permalink raw reply related [flat|nested] 18+ messages in thread* Re: [PATCH v6 0/7] staging: rtl8723bs: fix OOB reads and writes in IE/attribute parsing
2026-05-21 13:03 [PATCH v6 0/7] staging: rtl8723bs: fix OOB reads and writes in IE/attribute parsing Alexandru Hossu
` (6 preceding siblings ...)
2026-05-21 13:03 ` [PATCH v6 7/7] staging: rtl8723bs: fix OOB reads in rtw_get_sec_ie(), rtw_get_wapi_ie(), and rtw_get_wps_attr() Alexandru Hossu
@ 2026-05-21 14:11 ` Greg KH
2026-05-21 14:18 ` Alexandru Hossu
2026-05-22 0:45 ` [PATCH v7 " Alexandru Hossu
8 siblings, 1 reply; 18+ messages in thread
From: Greg KH @ 2026-05-21 14:11 UTC (permalink / raw)
To: Alexandru Hossu; +Cc: linux-staging, stable
On Thu, May 21, 2026 at 03:03:23PM +0200, Alexandru Hossu wrote:
> Fix out-of-bounds memory accesses in several IE and attribute parsing
> paths of the rtl8723bs driver. All affected functions iterate over
> attacker-controlled IE data from over-the-air frames without validating
> header or payload bounds before dereferencing.
>
> v6: add two patches addressing issues found during v5 review.
> Patch 6 adds IE header bounds checks and payload length guards to
> is_ap_in_tkip(). Patch 7 adds header and payload bounds checks to
> rtw_get_sec_ie(), rtw_get_wapi_ie(), and rtw_get_wps_attr().
>
You have to show all the version info for all versions :(
^ permalink raw reply [flat|nested] 18+ messages in thread* [PATCH v7 0/7] staging: rtl8723bs: fix OOB reads and writes in IE/attribute parsing
2026-05-21 13:03 [PATCH v6 0/7] staging: rtl8723bs: fix OOB reads and writes in IE/attribute parsing Alexandru Hossu
` (7 preceding siblings ...)
2026-05-21 14:11 ` [PATCH v6 0/7] staging: rtl8723bs: fix OOB reads and writes in IE/attribute parsing Greg KH
@ 2026-05-22 0:45 ` Alexandru Hossu
2026-05-22 0:45 ` [PATCH v7 1/7] staging: rtl8723bs: fix OOB read in update_beacon_info() IE loop Alexandru Hossu
` (6 more replies)
8 siblings, 7 replies; 18+ messages in thread
From: Alexandru Hossu @ 2026-05-22 0:45 UTC (permalink / raw)
To: gregkh; +Cc: linux-staging, linux-kernel, luka.gejak, Alexandru Hossu
Fix out-of-bounds memory accesses in several IE and attribute parsing
paths of the rtl8723bs driver. All affected functions iterate over
attacker-controlled IE data from over-the-air frames without validating
header or payload bounds before dereferencing.
Alexandru Hossu (7):
staging: rtl8723bs: fix OOB read in update_beacon_info() IE loop
staging: rtl8723bs: fix OOB reads in IE loops in issue_assocreq() and
join_cmd_hdl()
staging: rtl8723bs: fix heap buffer overflow in
rtw_cfg80211_set_wpa_ie()
staging: rtl8723bs: fix OOB write in HT_caps_handler()
staging: rtl8723bs: fix OOB read in OnAssocRsp() IE loop
staging: rtl8723bs: fix OOB reads in is_ap_in_tkip() IE loop
staging: rtl8723bs: fix OOB reads in rtw_get_sec_ie(),
rtw_get_wapi_ie(), and rtw_get_wps_attr()
.../staging/rtl8723bs/core/rtw_ieee80211.c | 15 ++++++++++++
drivers/staging/rtl8723bs/core/rtw_mlme_ext.c | 12 ++++++++++
.../staging/rtl8723bs/core/rtw_wlan_util.c | 23 +++++++++++++++----
.../staging/rtl8723bs/os_dep/ioctl_cfg80211.c | 8 +++++++
4 files changed, 53 insertions(+), 5 deletions(-)
---
v7: no code changes; add full version history to cover letter (omitted
from v6)
v6: add two patches addressing issues found during v5 review.
Patch 6 adds IE header bounds checks and payload length guards to
is_ap_in_tkip(). Patch 7 adds header and payload bounds checks to
rtw_get_sec_ie(), rtw_get_wapi_ie(), and rtw_get_wps_attr().
v5: patch 2: fix WPS truncation path reading past IE payload when
pIE->length < 14; strengthen WMM guard in join_cmd_hdl() from
pIE->length >= 4 to >= WLAN_WMM_LEN
v4: patch 1: add pkt_len underflow guard; fix WLAN_EID_VENDOR_SPECIFIC
condition ordering; fix bwmode_update_check() IE length check from
> to !=. Patch 2: add pIE->length >= 4 OUI guards; add HT_caps and
HT_info minimum length checks. Patch 3: add bounds checks in
rtw_get_wps_ie(); add WPS OUI length guard.
v3: add Fixes: 554c0a3abf21 and Cc: stable@vger.kernel.org to all
patches; move Reviewed-by above Signed-off-by
v2: patch 1: rewrite loop increment as sizeof(*pIE) + pIE->length for
consistency with the sizeof(*pIE) guards (Dan Carpenter)
v1: initial submission
v6: https://lore.kernel.org/r/20260521130330.754181-1-hossu.alexandru@gmail.com
v5: https://lore.kernel.org/r/20260511165743.1588637-1-hossu.alexandru@gmail.com
v4: https://lore.kernel.org/r/20260505173818.3674164-1-hossu.alexandru@gmail.com
v3: https://lore.kernel.org/r/20260427081626.3393697-1-hossu.alexandru@gmail.com
v2: https://lore.kernel.org/r/20260426095156.3523480-1-hossu.alexandru@gmail.com
v1: https://lore.kernel.org/r/20260424151932.3734611-1-hossu.alexandru@gmail.com
--
2.54.0
^ permalink raw reply [flat|nested] 18+ messages in thread* [PATCH v7 1/7] staging: rtl8723bs: fix OOB read in update_beacon_info() IE loop
2026-05-22 0:45 ` [PATCH v7 " Alexandru Hossu
@ 2026-05-22 0:45 ` Alexandru Hossu
2026-05-22 0:45 ` [PATCH v7 2/7] staging: rtl8723bs: fix OOB reads in IE loops in issue_assocreq() and join_cmd_hdl() Alexandru Hossu
` (5 subsequent siblings)
6 siblings, 0 replies; 18+ messages in thread
From: Alexandru Hossu @ 2026-05-22 0:45 UTC (permalink / raw)
To: gregkh; +Cc: linux-staging, linux-kernel, luka.gejak, Alexandru Hossu, stable
The IE parsing loop in update_beacon_info() advances by
(pIE->length + 2) each iteration but only guards on i < len.
When a malicious AP sends a Beacon whose last IE has only one byte
remaining in the frame (the element_id byte lands at len-1), the loop
reads pIE->length from one byte past the allocated receive buffer.
Additionally, even when the header bytes are in bounds, pIE->length
itself can extend the data window beyond len, passing a truncated IE
to the handler functions.
Add two guards at the top of the loop body:
1. Break if fewer than sizeof(*pIE) bytes remain (can't read header).
2. Break if the IE's declared data extends past len.
Also replace i += (pIE->length + 2) with i += sizeof(*pIE) + pIE->length
for consistency with the sizeof(*pIE) guards added above.
Fixes: 554c0a3abf21 ("staging: Add rtl8723bs sdio wifi driver")
Cc: stable@vger.kernel.org
Reviewed-by: Luka Gejak <luka.gejak@linux.dev>
Signed-off-by: Alexandru Hossu <hossu.alexandru@gmail.com>
---
drivers/staging/rtl8723bs/core/rtw_wlan_util.c | 6 +++++-
1 file changed, 5 insertions(+), 1 deletion(-)
diff --git a/drivers/staging/rtl8723bs/core/rtw_wlan_util.c b/drivers/staging/rtl8723bs/core/rtw_wlan_util.c
index 6a7c09db4cd9..e0d73c267786 100644
--- a/drivers/staging/rtl8723bs/core/rtw_wlan_util.c
+++ b/drivers/staging/rtl8723bs/core/rtw_wlan_util.c
@@ -1289,7 +1289,11 @@ void update_beacon_info(struct adapter *padapter, u8 *pframe, uint pkt_len, stru
len = pkt_len - (_BEACON_IE_OFFSET_ + WLAN_HDR_A3_LEN);
for (i = 0; i < len;) {
+ if (i + sizeof(*pIE) > len)
+ break;
pIE = (struct ndis_80211_var_ie *)(pframe + (_BEACON_IE_OFFSET_ + WLAN_HDR_A3_LEN) + i);
+ if (i + sizeof(*pIE) + pIE->length > len)
+ break;
switch (pIE->element_id) {
case WLAN_EID_VENDOR_SPECIFIC:
@@ -1314,7 +1318,7 @@ void update_beacon_info(struct adapter *padapter, u8 *pframe, uint pkt_len, stru
break;
}
- i += (pIE->length + 2);
+ i += sizeof(*pIE) + pIE->length;
}
}
--
2.54.0
^ permalink raw reply related [flat|nested] 18+ messages in thread* [PATCH v7 2/7] staging: rtl8723bs: fix OOB reads in IE loops in issue_assocreq() and join_cmd_hdl()
2026-05-22 0:45 ` [PATCH v7 " Alexandru Hossu
2026-05-22 0:45 ` [PATCH v7 1/7] staging: rtl8723bs: fix OOB read in update_beacon_info() IE loop Alexandru Hossu
@ 2026-05-22 0:45 ` Alexandru Hossu
2026-05-22 0:45 ` [PATCH v7 3/7] staging: rtl8723bs: fix heap buffer overflow in rtw_cfg80211_set_wpa_ie() Alexandru Hossu
` (4 subsequent siblings)
6 siblings, 0 replies; 18+ messages in thread
From: Alexandru Hossu @ 2026-05-22 0:45 UTC (permalink / raw)
To: gregkh; +Cc: linux-staging, linux-kernel, luka.gejak, Alexandru Hossu, stable
Two IE parsing loops are missing the header bounds checks before they
dereference pIE->length:
- issue_assocreq() walks pmlmeinfo->network.ies to build the
association request. If the stored IE data ends with only an
element_id byte and no length byte, pIE->length is read one byte
past the end of the buffer.
- join_cmd_hdl() walks pnetwork->ies during station join and has
the same problem under the same conditions.
Both buffers are filled from AP beacon and probe-response frames, so a
malicious AP that sends a truncated final IE can trigger the issue.
Apply the two-guard pattern established in update_beacon_info():
1. Break if fewer than sizeof(*pIE) bytes remain.
2. Break if the IE's declared data extends past the buffer end.
Fixes: 554c0a3abf21 ("staging: Add rtl8723bs sdio wifi driver")
Cc: stable@vger.kernel.org
Reviewed-by: Luka Gejak <luka.gejak@linux.dev>
Signed-off-by: Alexandru Hossu <hossu.alexandru@gmail.com>
---
drivers/staging/rtl8723bs/core/rtw_mlme_ext.c | 8 ++++++++
1 file changed, 8 insertions(+)
diff --git a/drivers/staging/rtl8723bs/core/rtw_mlme_ext.c b/drivers/staging/rtl8723bs/core/rtw_mlme_ext.c
index 884cd39ec756..c646dc2a1741 100644
--- a/drivers/staging/rtl8723bs/core/rtw_mlme_ext.c
+++ b/drivers/staging/rtl8723bs/core/rtw_mlme_ext.c
@@ -2931,7 +2931,11 @@ void issue_assocreq(struct adapter *padapter)
/* vendor specific IE, such as WPA, WMM, WPS */
for (i = sizeof(struct ndis_802_11_fix_ie); i < pmlmeinfo->network.ie_length;) {
+ if (i + sizeof(*pIE) > pmlmeinfo->network.ie_length)
+ break;
pIE = (struct ndis_80211_var_ie *)(pmlmeinfo->network.ies + i);
+ if (i + sizeof(*pIE) + pIE->length > pmlmeinfo->network.ie_length)
+ break;
switch (pIE->element_id) {
case WLAN_EID_VENDOR_SPECIFIC:
@@ -5324,7 +5328,11 @@ u8 join_cmd_hdl(struct adapter *padapter, u8 *pbuf)
/* sizeof(struct ndis_802_11_fix_ie) */
for (i = _FIXED_IE_LENGTH_; i < pnetwork->ie_length;) {
+ if (i + sizeof(*pIE) > pnetwork->ie_length)
+ break;
pIE = (struct ndis_80211_var_ie *)(pnetwork->ies + i);
+ if (i + sizeof(*pIE) + pIE->length > pnetwork->ie_length)
+ break;
switch (pIE->element_id) {
case WLAN_EID_VENDOR_SPECIFIC:/* Get WMM IE. */
--
2.54.0
^ permalink raw reply related [flat|nested] 18+ messages in thread* [PATCH v7 3/7] staging: rtl8723bs: fix heap buffer overflow in rtw_cfg80211_set_wpa_ie()
2026-05-22 0:45 ` [PATCH v7 " Alexandru Hossu
2026-05-22 0:45 ` [PATCH v7 1/7] staging: rtl8723bs: fix OOB read in update_beacon_info() IE loop Alexandru Hossu
2026-05-22 0:45 ` [PATCH v7 2/7] staging: rtl8723bs: fix OOB reads in IE loops in issue_assocreq() and join_cmd_hdl() Alexandru Hossu
@ 2026-05-22 0:45 ` Alexandru Hossu
2026-05-22 0:45 ` [PATCH v7 4/7] staging: rtl8723bs: fix OOB write in HT_caps_handler() Alexandru Hossu
` (3 subsequent siblings)
6 siblings, 0 replies; 18+ messages in thread
From: Alexandru Hossu @ 2026-05-22 0:45 UTC (permalink / raw)
To: gregkh; +Cc: linux-staging, linux-kernel, luka.gejak, Alexandru Hossu, stable
supplicant_ie is a 256-byte array in struct security_priv. The WPA and
WPA2 IE copy paths use:
memcpy(padapter->securitypriv.supplicant_ie, &pwpa[0], wpa_ielen + 2);
where wpa_ielen is the raw IE length field (u8, 0-255). When a local user
supplies a connect request via nl80211 with a crafted WPA IE of length 255,
wpa_ielen + 2 equals 257, overflowing the 256-byte buffer by one byte into
the adjacent last_mic_err_time field.
rtw_parse_wpa_ie() does not prevent this: its length consistency check
compares *(wpa_ie+1) against (u8)(wpa_ie_len-2), which is (u8)(255) == 255
when wpa_ie_len = 257, so the check passes silently.
Add explicit bounds checks for both the WPA and WPA2 paths before the
memcpy, rejecting any IE whose total size (wpa_ielen + 2) exceeds the
supplicant_ie buffer.
Fixes: 554c0a3abf21 ("staging: Add rtl8723bs sdio wifi driver")
Cc: stable@vger.kernel.org
Reviewed-by: Luka Gejak <luka.gejak@linux.dev>
Signed-off-by: Alexandru Hossu <hossu.alexandru@gmail.com>
---
drivers/staging/rtl8723bs/os_dep/ioctl_cfg80211.c | 8 ++++++++
1 file changed, 8 insertions(+)
diff --git a/drivers/staging/rtl8723bs/os_dep/ioctl_cfg80211.c b/drivers/staging/rtl8723bs/os_dep/ioctl_cfg80211.c
index 098456e97c96..3d930d9af184 100644
--- a/drivers/staging/rtl8723bs/os_dep/ioctl_cfg80211.c
+++ b/drivers/staging/rtl8723bs/os_dep/ioctl_cfg80211.c
@@ -1443,6 +1443,10 @@ static int rtw_cfg80211_set_wpa_ie(struct adapter *padapter, u8 *pie, size_t iel
pwpa = rtw_get_wpa_ie(buf, &wpa_ielen, ielen);
if (pwpa && wpa_ielen > 0) {
+ if (wpa_ielen + 2 > sizeof(padapter->securitypriv.supplicant_ie)) {
+ ret = -EINVAL;
+ goto exit;
+ }
if (rtw_parse_wpa_ie(pwpa, wpa_ielen + 2, &group_cipher, &pairwise_cipher, NULL) == _SUCCESS) {
padapter->securitypriv.dot11AuthAlgrthm = dot11AuthAlgrthm_8021X;
padapter->securitypriv.ndisauthtype = Ndis802_11AuthModeWPAPSK;
@@ -1452,6 +1456,10 @@ static int rtw_cfg80211_set_wpa_ie(struct adapter *padapter, u8 *pie, size_t iel
pwpa2 = rtw_get_wpa2_ie(buf, &wpa2_ielen, ielen);
if (pwpa2 && wpa2_ielen > 0) {
+ if (wpa2_ielen + 2 > sizeof(padapter->securitypriv.supplicant_ie)) {
+ ret = -EINVAL;
+ goto exit;
+ }
if (rtw_parse_wpa2_ie(pwpa2, wpa2_ielen + 2, &group_cipher, &pairwise_cipher, NULL) == _SUCCESS) {
padapter->securitypriv.dot11AuthAlgrthm = dot11AuthAlgrthm_8021X;
padapter->securitypriv.ndisauthtype = Ndis802_11AuthModeWPA2PSK;
--
2.54.0
^ permalink raw reply related [flat|nested] 18+ messages in thread* [PATCH v7 4/7] staging: rtl8723bs: fix OOB write in HT_caps_handler()
2026-05-22 0:45 ` [PATCH v7 " Alexandru Hossu
` (2 preceding siblings ...)
2026-05-22 0:45 ` [PATCH v7 3/7] staging: rtl8723bs: fix heap buffer overflow in rtw_cfg80211_set_wpa_ie() Alexandru Hossu
@ 2026-05-22 0:45 ` Alexandru Hossu
2026-05-22 0:45 ` [PATCH v7 5/7] staging: rtl8723bs: fix OOB read in OnAssocRsp() IE loop Alexandru Hossu
` (2 subsequent siblings)
6 siblings, 0 replies; 18+ messages in thread
From: Alexandru Hossu @ 2026-05-22 0:45 UTC (permalink / raw)
To: gregkh; +Cc: linux-staging, linux-kernel, luka.gejak, Alexandru Hossu, stable
HT_caps_handler() iterates pIE->length bytes and writes into
HT_caps.u.HT_cap[], which is a fixed 26-byte array (sizeof struct
HT_caps_element). Because pIE->length is a raw u8 from an over-the-air
802.11 AssocResponse frame and is never validated, a malicious AP can
set it up to 255, causing up to 229 bytes of out-of-bounds writes into
adjacent fields of struct mlme_ext_info.
Truncate the iteration count to the size of HT_caps.u.HT_cap using
umin() so that data from a longer-than-expected IE is silently ignored
rather than written out of bounds, preserving interoperability with APs
that pad the element. An early return on oversized IEs was considered
but rejected: it would bypass the pmlmeinfo->HT_caps_enable = 1
assignment that precedes the loop, silently disabling HT mode for APs
that append extra bytes to the HT Capabilities IE.
Fixes: 554c0a3abf21 ("staging: Add rtl8723bs sdio wifi driver")
Cc: stable@vger.kernel.org
Signed-off-by: Alexandru Hossu <hossu.alexandru@gmail.com>
---
drivers/staging/rtl8723bs/core/rtw_wlan_util.c | 3 ++-
1 file changed, 2 insertions(+), 1 deletion(-)
diff --git a/drivers/staging/rtl8723bs/core/rtw_wlan_util.c b/drivers/staging/rtl8723bs/core/rtw_wlan_util.c
index e0d73c267786..dd34f229df12 100644
--- a/drivers/staging/rtl8723bs/core/rtw_wlan_util.c
+++ b/drivers/staging/rtl8723bs/core/rtw_wlan_util.c
@@ -936,7 +936,8 @@ void HT_caps_handler(struct adapter *padapter, struct ndis_80211_var_ie *pIE)
pmlmeinfo->HT_caps_enable = 1;
- for (i = 0; i < (pIE->length); i++) {
+ for (i = 0; i < umin(pIE->length,
+ sizeof(pmlmeinfo->HT_caps.u.HT_cap)); i++) {
if (i != 2) {
/* Commented by Albert 2010/07/12 */
/* Got the endian issue here. */
--
2.54.0
^ permalink raw reply related [flat|nested] 18+ messages in thread* [PATCH v7 5/7] staging: rtl8723bs: fix OOB read in OnAssocRsp() IE loop
2026-05-22 0:45 ` [PATCH v7 " Alexandru Hossu
` (3 preceding siblings ...)
2026-05-22 0:45 ` [PATCH v7 4/7] staging: rtl8723bs: fix OOB write in HT_caps_handler() Alexandru Hossu
@ 2026-05-22 0:45 ` Alexandru Hossu
2026-05-22 0:45 ` [PATCH v7 6/7] staging: rtl8723bs: fix OOB reads in is_ap_in_tkip() " Alexandru Hossu
2026-05-22 0:45 ` [PATCH v7 7/7] staging: rtl8723bs: fix OOB reads in rtw_get_sec_ie(), rtw_get_wapi_ie(), and rtw_get_wps_attr() Alexandru Hossu
6 siblings, 0 replies; 18+ messages in thread
From: Alexandru Hossu @ 2026-05-22 0:45 UTC (permalink / raw)
To: gregkh; +Cc: linux-staging, linux-kernel, luka.gejak, Alexandru Hossu, stable
The IE parsing loop in OnAssocRsp() advances by (pIE->length + 2) each
iteration but only guards on i < pkt_len. When a malicious AP sends an
AssocResponse whose last IE has only one byte remaining in the frame
(the element_id byte lands at pkt_len-1), the loop reads pIE->length
from pframe[pkt_len], which is one byte past the allocated receive buffer.
Additionally, even when the header bytes are in bounds, pIE->length
itself can extend the data window beyond pkt_len, silently passing a
truncated IE to the handler functions.
Add two guards at the top of the loop body:
1. Break if fewer than sizeof(*pIE) bytes remain (can't read header).
2. Break if the IE's declared data extends past pkt_len.
Fixes: 554c0a3abf21 ("staging: Add rtl8723bs sdio wifi driver")
Cc: stable@vger.kernel.org
Signed-off-by: Alexandru Hossu <hossu.alexandru@gmail.com>
---
drivers/staging/rtl8723bs/core/rtw_mlme_ext.c | 4 ++++
1 file changed, 4 insertions(+)
diff --git a/drivers/staging/rtl8723bs/core/rtw_mlme_ext.c b/drivers/staging/rtl8723bs/core/rtw_mlme_ext.c
index c646dc2a1741..68ce422305ed 100644
--- a/drivers/staging/rtl8723bs/core/rtw_mlme_ext.c
+++ b/drivers/staging/rtl8723bs/core/rtw_mlme_ext.c
@@ -1406,7 +1406,11 @@ unsigned int OnAssocRsp(struct adapter *padapter, union recv_frame *precv_frame)
/* to handle HT, WMM, rate adaptive, update MAC reg */
/* for not to handle the synchronous IO in the tasklet */
for (i = (6 + WLAN_HDR_A3_LEN); i < pkt_len;) {
+ if (i + sizeof(*pIE) > pkt_len)
+ break;
pIE = (struct ndis_80211_var_ie *)(pframe + i);
+ if (i + sizeof(*pIE) + pIE->length > pkt_len)
+ break;
switch (pIE->element_id) {
case WLAN_EID_VENDOR_SPECIFIC:
--
2.54.0
^ permalink raw reply related [flat|nested] 18+ messages in thread* [PATCH v7 6/7] staging: rtl8723bs: fix OOB reads in is_ap_in_tkip() IE loop
2026-05-22 0:45 ` [PATCH v7 " Alexandru Hossu
` (4 preceding siblings ...)
2026-05-22 0:45 ` [PATCH v7 5/7] staging: rtl8723bs: fix OOB read in OnAssocRsp() IE loop Alexandru Hossu
@ 2026-05-22 0:45 ` Alexandru Hossu
2026-05-22 0:45 ` [PATCH v7 7/7] staging: rtl8723bs: fix OOB reads in rtw_get_sec_ie(), rtw_get_wapi_ie(), and rtw_get_wps_attr() Alexandru Hossu
6 siblings, 0 replies; 18+ messages in thread
From: Alexandru Hossu @ 2026-05-22 0:45 UTC (permalink / raw)
To: gregkh; +Cc: linux-staging, linux-kernel, luka.gejak, Alexandru Hossu, stable
The loop in is_ap_in_tkip() iterates over IEs without verifying that
enough bytes remain before dereferencing the IE header or its payload:
- pIE->element_id and pIE->length are read without checking that
i + sizeof(*pIE) <= ie_length, so a truncated IE at the end of the
buffer causes an OOB read.
- For WLAN_EID_VENDOR_SPECIFIC the code compares pIE->data + 12,
which requires pIE->length >= 16. For WLAN_EID_RSN it compares
pIE->data + 8, requiring pIE->length >= 12. Neither requirement
is checked.
Add the missing IE header and payload bounds checks and guard each
data access with an explicit pIE->length minimum, matching the
pattern established in update_beacon_info().
Fixes: 554c0a3abf21 ("staging: Add rtl8723bs sdio wifi driver")
Cc: stable@vger.kernel.org
Signed-off-by: Alexandru Hossu <hossu.alexandru@gmail.com>
---
drivers/staging/rtl8723bs/core/rtw_wlan_util.c | 14 +++++++++++---
1 file changed, 11 insertions(+), 3 deletions(-)
diff --git a/drivers/staging/rtl8723bs/core/rtw_wlan_util.c b/drivers/staging/rtl8723bs/core/rtw_wlan_util.c
index dd34f229df12..94bbe7ac13ac 100644
--- a/drivers/staging/rtl8723bs/core/rtw_wlan_util.c
+++ b/drivers/staging/rtl8723bs/core/rtw_wlan_util.c
@@ -1335,15 +1335,23 @@ unsigned int is_ap_in_tkip(struct adapter *padapter)
for (i = sizeof(struct ndis_802_11_fix_ie); i < pmlmeinfo->network.ie_length;) {
pIE = (struct ndis_80211_var_ie *)(pmlmeinfo->network.ies + i);
+ if (i + sizeof(*pIE) > pmlmeinfo->network.ie_length)
+ break;
+ if (i + sizeof(*pIE) + pIE->length > pmlmeinfo->network.ie_length)
+ break;
+
switch (pIE->element_id) {
case WLAN_EID_VENDOR_SPECIFIC:
- if ((!memcmp(pIE->data, RTW_WPA_OUI, 4)) && (!memcmp((pIE->data + 12), WPA_TKIP_CIPHER, 4)))
+ if (pIE->length >= 16 &&
+ !memcmp(pIE->data, RTW_WPA_OUI, 4) &&
+ !memcmp((pIE->data + 12), WPA_TKIP_CIPHER, 4))
return true;
break;
case WLAN_EID_RSN:
- if (!memcmp((pIE->data + 8), RSN_TKIP_CIPHER, 4))
+ if (pIE->length >= 12 &&
+ !memcmp((pIE->data + 8), RSN_TKIP_CIPHER, 4))
return true;
break;
@@ -1351,7 +1359,7 @@ unsigned int is_ap_in_tkip(struct adapter *padapter)
break;
}
- i += (pIE->length + 2);
+ i += sizeof(*pIE) + pIE->length;
}
return false;
--
2.54.0
^ permalink raw reply related [flat|nested] 18+ messages in thread* [PATCH v7 7/7] staging: rtl8723bs: fix OOB reads in rtw_get_sec_ie(), rtw_get_wapi_ie(), and rtw_get_wps_attr()
2026-05-22 0:45 ` [PATCH v7 " Alexandru Hossu
` (5 preceding siblings ...)
2026-05-22 0:45 ` [PATCH v7 6/7] staging: rtl8723bs: fix OOB reads in is_ap_in_tkip() " Alexandru Hossu
@ 2026-05-22 0:45 ` Alexandru Hossu
6 siblings, 0 replies; 18+ messages in thread
From: Alexandru Hossu @ 2026-05-22 0:45 UTC (permalink / raw)
To: gregkh; +Cc: linux-staging, linux-kernel, luka.gejak, Alexandru Hossu, stable
Three IE/attribute parsing functions have missing bounds checks.
rtw_get_sec_ie() and rtw_get_wapi_ie() iterate over a raw IE buffer
without verifying that the header bytes (tag + length) are within the
remaining buffer before reading them. Additionally, rtw_get_sec_ie()
compares the 4-byte WPA OUI at cnt+2 without checking that at least
6 bytes remain, and rtw_get_wapi_ie() compares a 4-byte WAPI OUI at
cnt+6 without checking that at least 10 bytes remain.
rtw_get_wps_attr() reads wps_ie[0] and wps_ie+2 unconditionally at
entry, before verifying that wps_ielen is large enough to contain
the 6-byte WPS IE header (element_id + length + 4-byte OUI). Inside
the attribute loop, get_unaligned_be16() is called on attr_ptr and
attr_ptr+2 without checking that 4 bytes remain in the buffer.
Add a cnt+2 bounds check before each loop body in rtw_get_sec_ie()
and rtw_get_wapi_ie(), guard each multi-byte comparison with a minimum
IE length requirement, add a wps_ielen < 6 early return in
rtw_get_wps_attr(), and add a 4-byte bounds check in its inner loop.
Fixes: 554c0a3abf21 ("staging: Add rtl8723bs sdio wifi driver")
Cc: stable@vger.kernel.org
Signed-off-by: Alexandru Hossu <hossu.alexandru@gmail.com>
---
drivers/staging/rtl8723bs/core/rtw_ieee80211.c | 15 +++++++++++++++
1 file changed, 15 insertions(+)
diff --git a/drivers/staging/rtl8723bs/core/rtw_ieee80211.c b/drivers/staging/rtl8723bs/core/rtw_ieee80211.c
index 72b7f731dd47..3c1f0068cd92 100644
--- a/drivers/staging/rtl8723bs/core/rtw_ieee80211.c
+++ b/drivers/staging/rtl8723bs/core/rtw_ieee80211.c
@@ -583,9 +583,14 @@ int rtw_get_wapi_ie(u8 *in_ie, uint in_len, u8 *wapi_ie, u16 *wapi_len)
cnt = (_TIMESTAMP_ + _BEACON_ITERVAL_ + _CAPABILITY_);
while (cnt < in_len) {
+ if (cnt + 2 > in_len)
+ break;
+ if (cnt + 2 + in_ie[cnt + 1] > in_len)
+ break;
authmode = in_ie[cnt];
if (authmode == WLAN_EID_BSS_AC_ACCESS_DELAY &&
+ in_ie[cnt + 1] >= 8 &&
(!memcmp(&in_ie[cnt + 6], wapi_oui1, 4) ||
!memcmp(&in_ie[cnt + 6], wapi_oui2, 4))) {
if (wapi_ie)
@@ -616,9 +621,14 @@ void rtw_get_sec_ie(u8 *in_ie, uint in_len, u8 *rsn_ie, u16 *rsn_len, u8 *wpa_ie
cnt = (_TIMESTAMP_ + _BEACON_ITERVAL_ + _CAPABILITY_);
while (cnt < in_len) {
+ if (cnt + 2 > in_len)
+ break;
+ if (cnt + 2 + in_ie[cnt + 1] > in_len)
+ break;
authmode = in_ie[cnt];
if ((authmode == WLAN_EID_VENDOR_SPECIFIC) &&
+ in_ie[cnt + 1] >= 4 &&
(!memcmp(&in_ie[cnt + 2], &wpa_oui[0], 4))) {
if (wpa_ie)
memcpy(wpa_ie, &in_ie[cnt], in_ie[cnt + 1] + 2);
@@ -699,6 +709,9 @@ u8 *rtw_get_wps_attr(u8 *wps_ie, uint wps_ielen, u16 target_attr_id, u8 *buf_att
if (len_attr)
*len_attr = 0;
+ if (wps_ielen < 6)
+ return attr_ptr;
+
if ((wps_ie[0] != WLAN_EID_VENDOR_SPECIFIC) ||
(memcmp(wps_ie + 2, wps_oui, 4))) {
return attr_ptr;
@@ -709,6 +722,8 @@ u8 *rtw_get_wps_attr(u8 *wps_ie, uint wps_ielen, u16 target_attr_id, u8 *buf_att
while (attr_ptr - wps_ie < wps_ielen) {
/* 4 = 2(Attribute ID) + 2(Length) */
+ if (attr_ptr + 4 > wps_ie + wps_ielen)
+ break;
u16 attr_id = get_unaligned_be16(attr_ptr);
u16 attr_data_len = get_unaligned_be16(attr_ptr + 2);
u16 attr_len = attr_data_len + 4;
--
2.54.0
^ permalink raw reply related [flat|nested] 18+ messages in thread