[PATCH v2] staging: rtl8723bs: fix OOB read in update_beacon_info() IE loop

[PATCH v2] staging: rtl8723bs: fix OOB read in update_beacon_info() IE loop

[Alexandru Hossu]

The IE parsing loop in update_beacon_info() advances by
(pIE->length + 2) each iteration but only guards on i < len.
When a malicious AP sends a Beacon whose last IE has only one byte
remaining in the frame (the element_id byte lands at len-1), the loop
reads pIE->length from one byte past the allocated receive buffer.

Additionally, even when the header bytes are in bounds, pIE->length
itself can extend the data window beyond len, passing a truncated IE
to the handler functions.

Add two guards at the top of the loop body:
  1. Break if fewer than sizeof(*pIE) bytes remain (can't read header).
  2. Break if the IE's declared data extends past len.

Also replace i += (pIE->length + 2) with i += sizeof(*pIE) + pIE->length
for consistency with the sizeof(*pIE) guards added above.

Signed-off-by: Alexandru Hossu <hossu.alexandru@gmail.com>
---
v2: Replace i += (pIE->length + 2) with i += sizeof(*pIE) + pIE->length
    for consistency with the sizeof(*pIE) guards (Dan Carpenter).

 drivers/staging/rtl8723bs/core/rtw_wlan_util.c | 6 +++++-
 1 file changed, 5 insertions(+), 1 deletion(-)

diff --git a/drivers/staging/rtl8723bs/core/rtw_wlan_util.c b/drivers/staging/rtl8723bs/core/rtw_wlan_util.c
index 6a7c09db4cd9..e0d73c267786 100644
--- a/drivers/staging/rtl8723bs/core/rtw_wlan_util.c
+++ b/drivers/staging/rtl8723bs/core/rtw_wlan_util.c
@@ -1289,7 +1289,11 @@ void update_beacon_info(struct adapter *padapter, u8 *pframe, uint pkt_len, stru
 	len = pkt_len - (_BEACON_IE_OFFSET_ + WLAN_HDR_A3_LEN);
 
 	for (i = 0; i < len;) {
+		if (i + sizeof(*pIE) > len)
+			break;
 		pIE = (struct ndis_80211_var_ie *)(pframe + (_BEACON_IE_OFFSET_ + WLAN_HDR_A3_LEN) + i);
+		if (i + sizeof(*pIE) + pIE->length > len)
+			break;
 
 		switch (pIE->element_id) {
 		case WLAN_EID_VENDOR_SPECIFIC:
@@ -1314,7 +1318,7 @@ void update_beacon_info(struct adapter *padapter, u8 *pframe, uint pkt_len, stru
 			break;
 		}
 
-		i += (pIE->length + 2);
+		i += sizeof(*pIE) + pIE->length;
 	}
 }
 
-- 
2.53.0

Re: [PATCH v2] staging: rtl8723bs: fix OOB read in update_beacon_info() IE loop

[Dan Carpenter]

On Sat, Apr 25, 2026 at 01:59:36PM +0200, Alexandru Hossu wrote:
> The IE parsing loop in update_beacon_info() advances by
> (pIE->length + 2) each iteration but only guards on i < len.
> When a malicious AP sends a Beacon whose last IE has only one byte
> remaining in the frame (the element_id byte lands at len-1), the loop
> reads pIE->length from one byte past the allocated receive buffer.
> 
> Additionally, even when the header bytes are in bounds, pIE->length
> itself can extend the data window beyond len, passing a truncated IE
> to the handler functions.
> 
> Add two guards at the top of the loop body:
>   1. Break if fewer than sizeof(*pIE) bytes remain (can't read header).
>   2. Break if the IE's declared data extends past len.
> 
> Also replace i += (pIE->length + 2) with i += sizeof(*pIE) + pIE->length
> for consistency with the sizeof(*pIE) guards added above.
> 
> Signed-off-by: Alexandru Hossu <hossu.alexandru@gmail.com>
> ---
> v2: Replace i += (pIE->length + 2) with i += sizeof(*pIE) + pIE->length
>     for consistency with the sizeof(*pIE) guards (Dan Carpenter).

Please wait a day between resends and resend the whole series.

regards,
dan carpenter