From: Dan Carpenter <error27@gmail.com>
To: Alexandru Hossu <hossu.alexandru@gmail.com>
Cc: gregkh@linuxfoundation.org, linux-staging@lists.linux.dev,
linux-kernel@vger.kernel.org, luka.gejak@linux.dev,
stable@vger.kernel.org
Subject: Re: [PATCH v2 1/2] staging: rtl8723bs: fix OOB write in HT_caps_handler()
Date: Mon, 27 Apr 2026 12:17:31 +0300 [thread overview]
Message-ID: <ae8pq5YzEe2wTJmx@stanley.mountain> (raw)
In-Reply-To: <20260427081748.3407939-2-hossu.alexandru@gmail.com>
On Mon, Apr 27, 2026 at 10:17:47AM +0200, Alexandru Hossu wrote:
> HT_caps_handler() iterates pIE->length bytes and writes into
> HT_caps.u.HT_cap[], which is a fixed 26-byte array (sizeof struct
> HT_caps_element). Because pIE->length is a raw u8 from an over-the-air
> 802.11 AssocResponse frame and is never validated, a malicious AP can set
> it up to 255, causing up to 229 bytes of out-of-bounds writes into
> adjacent fields of struct mlme_ext_info.
>
> Truncate the iteration count to the size of HT_caps.u.HT_cap using
> min_t() so that data from a longer-than-expected IE is silently ignored
> rather than written out of bounds, preserving interoperability with APs
> that pad the element.
>
> Fixes: 554c0a3abf21 ("staging: Add rtl8723bs sdio wifi driver")
> Cc: stable@vger.kernel.org
> Signed-off-by: Alexandru Hossu <hossu.alexandru@gmail.com>
> ---
We need a little change log here. I was hoping you would provide
a link to the AI review in the changelog.
I feel like the AI review is probabl wrong. In this case the
original code corrupted memory so the code didn't "work" before, it
corrupted memory. But I'm interested to see the AI review.
regards,
dan carpenter
next prev parent reply other threads:[~2026-04-27 9:17 UTC|newest]
Thread overview: 12+ messages / expand[flat|nested] mbox.gz Atom feed top
2026-04-27 8:17 [PATCH v2 0/2] staging: rtl8723bs: fix OOB write in HT_caps_handler and OOB read in OnAssocRsp Alexandru Hossu
2026-04-27 8:17 ` [PATCH v2 1/2] staging: rtl8723bs: fix OOB write in HT_caps_handler() Alexandru Hossu
2026-04-27 9:17 ` Dan Carpenter [this message]
2026-04-27 9:28 ` Alexandru Hossu
2026-04-27 9:48 ` Dan Carpenter
2026-04-27 11:11 ` Greg KH
2026-04-27 12:58 ` Dan Carpenter
2026-04-27 13:11 ` Greg KH
2026-04-27 14:32 ` Luka Gejak
2026-04-27 14:45 ` Dan Carpenter
2026-04-27 14:48 ` Dan Carpenter
2026-04-27 8:17 ` [PATCH v2 2/2] staging: rtl8723bs: fix OOB read in OnAssocRsp() IE loop Alexandru Hossu
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=ae8pq5YzEe2wTJmx@stanley.mountain \
--to=error27@gmail.com \
--cc=gregkh@linuxfoundation.org \
--cc=hossu.alexandru@gmail.com \
--cc=linux-kernel@vger.kernel.org \
--cc=linux-staging@lists.linux.dev \
--cc=luka.gejak@linux.dev \
--cc=stable@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox