From: "Luka Gejak" <luka.gejak@linux.dev>
To: "Alexandru Hossu" <hossu.alexandru@gmail.com>,
<gregkh@linuxfoundation.org>
Cc: <linux-staging@lists.linux.dev>
Subject: Re: [PATCH 0/3] staging: rtl8723bs: fix OOB reads and heap overflow in IE parsing
Date: Fri, 24 Apr 2026 18:05:14 +0200 [thread overview]
Message-ID: <DI1IHIF0D6K2.1IU19G9JW5YEG@linux.dev> (raw)
In-Reply-To: <20260424151932.3734611-1-hossu.alexandru@gmail.com>
On Fri Apr 24, 2026 at 5:19 PM CEST, Alexandru Hossu wrote:
> This series fixes three related bugs in the rtl8723bs staging driver's
> 802.11 IE parsing code. All three follow the same root cause: IE parsing
> loops and IE handler functions do not validate that an IE's declared length
> fits within the actual frame/buffer before operating on it.
>
> Patch 1 and 2 fix OOB reads in three IE parsing loops
> (update_beacon_info, issue_assocreq, join_cmd_hdl) that lack the two-guard
> pattern already applied to OnAssocRsp() in a previous fix. A malicious AP
> sending a beacon or association response with a truncated final IE (e.g.,
> only the element_id byte present, no length byte) causes the loop to read
> pIE->length one byte past the end of the IE area.
>
> Patch 3 fixes a one-byte heap buffer overflow in rtw_cfg80211_set_wpa_ie().
> supplicant_ie is a 256-byte array in struct security_priv. Because
> wpa_ielen is taken directly from the IE length field (u8, 0-255), the copy:
>
> memcpy(supplicant_ie, pwpa, wpa_ielen + 2);
>
> can write up to 257 bytes. rtw_parse_wpa_ie()'s own length consistency
> check silently passes because it casts the arithmetic to u8:
> (u8)(257 - 2) == 255 == wpa_ielen. The overflow is triggered via
> NL80211_CMD_CONNECT with a crafted WPA IE of length 255; nl80211's
> validate_ie_attr() accepts this as a well-formed (though oversized) IE.
>
> Alexandru Hossu (3):
> staging: rtl8723bs: fix OOB read in update_beacon_info() IE loop
> staging: rtl8723bs: fix OOB reads in IE loops in issue_assocreq() and
> join_cmd_hdl()
> staging: rtl8723bs: fix heap buffer overflow in
> rtw_cfg80211_set_wpa_ie()
>
> drivers/staging/rtl8723bs/core/rtw_mlme_ext.c | 8 ++++++++
> drivers/staging/rtl8723bs/core/rtw_wlan_util.c | 4 ++++
> drivers/staging/rtl8723bs/os_dep/ioctl_cfg80211.c | 8 ++++++++
> 3 files changed, 20 insertions(+)
LGTM so for the patch series:
Reviewed-by: Luka Gejak <luka.gejak@linux.dev>
Best regards,
Luka Gejak
prev parent reply other threads:[~2026-04-24 16:05 UTC|newest]
Thread overview: 7+ messages / expand[flat|nested] mbox.gz Atom feed top
2026-04-24 15:19 [PATCH 0/3] staging: rtl8723bs: fix OOB reads and heap overflow in IE parsing Alexandru Hossu
2026-04-24 15:19 ` [PATCH 1/3] staging: rtl8723bs: fix OOB read in update_beacon_info() IE loop Alexandru Hossu
2026-04-25 11:42 ` Dan Carpenter
2026-04-24 15:19 ` [PATCH 2/3] staging: rtl8723bs: fix OOB reads in IE loops in issue_assocreq() and join_cmd_hdl() Alexandru Hossu
2026-04-24 15:19 ` [PATCH 3/3] staging: rtl8723bs: fix heap buffer overflow in rtw_cfg80211_set_wpa_ie() Alexandru Hossu
2026-04-25 12:10 ` Dan Carpenter
2026-04-24 16:05 ` Luka Gejak [this message]
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=DI1IHIF0D6K2.1IU19G9JW5YEG@linux.dev \
--to=luka.gejak@linux.dev \
--cc=gregkh@linuxfoundation.org \
--cc=hossu.alexandru@gmail.com \
--cc=linux-staging@lists.linux.dev \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox