[PATCH] staging: rtl8723bs: fix OOB write in HT_caps_handler()

[PATCH] staging: rtl8723bs: fix OOB write in HT_caps_handler()

[Greg Kroah-Hartman]

HT_caps_handler() loops up to pIE->length, the IE length byte taken
directly from an over-the-air association response, and uses the counter
to index pmlmeinfo->HT_caps.u.HT_cap[26].  A malicious AP can supply an
HT capabilities IE with a length byte up to 255, AND-writing into
adjacent fields of struct mlme_ext_info.  This is reachable in station
mode (the default) via OnAssocRsp.

HT_info_handler() already rejects oversized IEs so do the same thing in
HT_caps_handler() to resolve this.

Fixes: 554c0a3abf21 ("staging: Add rtl8723bs sdio wifi driver")
Assisted-by: gregkh_clanker_t1000
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
 drivers/staging/rtl8723bs/core/rtw_wlan_util.c | 3 +++
 1 file changed, 3 insertions(+)

diff --git a/drivers/staging/rtl8723bs/core/rtw_wlan_util.c b/drivers/staging/rtl8723bs/core/rtw_wlan_util.c
index 3242978da36c..a2e016c6a01f 100644
--- a/drivers/staging/rtl8723bs/core/rtw_wlan_util.c
+++ b/drivers/staging/rtl8723bs/core/rtw_wlan_util.c
@@ -932,6 +932,9 @@ void HT_caps_handler(struct adapter *padapter, struct ndis_80211_var_ie *pIE)
 	if (phtpriv->ht_option == false)
 		return;
 
+	if (pIE->length > sizeof(pmlmeinfo->HT_caps))
+		return;
+
 	pmlmeinfo->HT_caps_enable = 1;
 
 	for (i = 0; i < (pIE->length); i++) {
-- 
2.53.0

Re: [PATCH] staging: rtl8723bs: fix OOB write in HT_caps_handler()

[Luka Gejak]

On Tue Apr 14, 2026 at 7:19 PM CEST, Greg Kroah-Hartman wrote:
> HT_caps_handler() loops up to pIE->length, the IE length byte taken
> directly from an over-the-air association response, and uses the counter
> to index pmlmeinfo->HT_caps.u.HT_cap[26].  A malicious AP can supply an
> HT capabilities IE with a length byte up to 255, AND-writing into
> adjacent fields of struct mlme_ext_info.  This is reachable in station
> mode (the default) via OnAssocRsp.
>
> HT_info_handler() already rejects oversized IEs so do the same thing in
> HT_caps_handler() to resolve this.
>
> Fixes: 554c0a3abf21 ("staging: Add rtl8723bs sdio wifi driver")
> Assisted-by: gregkh_clanker_t1000
> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
> ---
>  drivers/staging/rtl8723bs/core/rtw_wlan_util.c | 3 +++
>  1 file changed, 3 insertions(+)
>
> diff --git a/drivers/staging/rtl8723bs/core/rtw_wlan_util.c b/drivers/staging/rtl8723bs/core/rtw_wlan_util.c
> index 3242978da36c..a2e016c6a01f 100644
> --- a/drivers/staging/rtl8723bs/core/rtw_wlan_util.c
> +++ b/drivers/staging/rtl8723bs/core/rtw_wlan_util.c
> @@ -932,6 +932,9 @@ void HT_caps_handler(struct adapter *padapter, struct ndis_80211_var_ie *pIE)
>  	if (phtpriv->ht_option == false)
>  		return;
>  
> +	if (pIE->length > sizeof(pmlmeinfo->HT_caps))
> +		return;
> +
>  	pmlmeinfo->HT_caps_enable = 1;
>  
>  	for (i = 0; i < (pIE->length); i++) {

Good catch. Trusting pIE->length blindly from an unauthenticated 
association response is a classic oob write vector. Since HT_cap is 
fixed-size within the mlme_ext_info struct, this is a clear remote heap
corruption risk if a malicious AP is in range.
Reviewed-by: Luka Gejak <luka.gejak@linux.dev>