From mboxrd@z Thu Jan 1 00:00:00 1970 Received: from mail-vk1-f171.google.com (mail-vk1-f171.google.com [209.85.221.171]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id 4F79C3195E4 for ; Wed, 15 Apr 2026 18:55:54 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=209.85.221.171 ARC-Seal:i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1776279355; cv=none; b=hG6ludFl6fLiEjJGMxfkenYCRmDPG+7s5lU6Wi7Y7ODi9r8b8pUCffa9qHeGv9zHM5i49UVfJ7FsvxfPnRa9/QiQNYkGO5jPn5ITizjbakez7McSUzP4MnyIfHMdiqOf+Pgubz+jh+fe/nWxECcoE743BxdkUmQyX+bU/LRHsWs= ARC-Message-Signature:i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1776279355; c=relaxed/simple; bh=4reUDLZlj/PYeJKnXw0RmQ0kJhkc5fPrtbvWTnUv6GQ=; h=From:To:Cc:Subject:Date:Message-ID:In-Reply-To:References: MIME-Version; b=Bm6tn7XqsAG+hV1FAlU2KkadD7fdlb9bOPtxspCZBwUC9/VPD3AbLnPSGmbHj3yUO1Lswc+WH5AoZS0Oq6gkAQyo09hQ/gQJVpb8e/B/0yD4F8S8whosnEwf8GQdZWzEvcslA61jlaLt1XlEeAso0MXosMfS/wONCDJ8w2BMBRM= ARC-Authentication-Results:i=1; smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=gmail.com; spf=pass smtp.mailfrom=gmail.com; dkim=pass (2048-bit key) header.d=gmail.com header.i=@gmail.com header.b=qWgkmywJ; arc=none smtp.client-ip=209.85.221.171 Authentication-Results: smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=gmail.com Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=gmail.com Authentication-Results: smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=gmail.com header.i=@gmail.com header.b="qWgkmywJ" Received: by mail-vk1-f171.google.com with SMTP id 71dfb90a1353d-56adf76631cso2977826e0c.1 for ; Wed, 15 Apr 2026 11:55:54 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20251104; t=1776279353; x=1776884153; darn=vger.kernel.org; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:from:to:cc:subject:date :message-id:reply-to; bh=V2swcOybNQxoOTEXoSldGalBD6IDZJiaiZhIwmr4O4s=; b=qWgkmywJmqGG+LnJwWRfu5+muqT0KleNzTmhKphKXxA5yXx0ROuoi2WAkBVG5GSHbI L1gR+UpdwBE7l6zYWle3umxs9AynvmUe6ab41TDH2mE6W9n/vdkTTuMlI92QowP++xTj MXiVpLYNvr1vwNIUabHfsMInpUypS0QM47MUmPBqHa+OqWxrXrOFgXnhSx70GA1yU5Hb cO3h0dJFE7ad+z+WJC4qla0ofdkOnPpgwr9sy2oQHwgCXFY0575jwty3yxw1OxV//lF4 9I8KMXX0C4RFczQbSXtDYAQIAWS94ar/wAcwQ75EV5XjblxFbB8K1XxCcBYvvJcFdbV1 PFkw== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20251104; t=1776279353; x=1776884153; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:x-gm-gg:x-gm-message-state:from :to:cc:subject:date:message-id:reply-to; bh=V2swcOybNQxoOTEXoSldGalBD6IDZJiaiZhIwmr4O4s=; b=r50okdFSKU6cLt4HuTzRSzlxLx2KfVpOizg0ffOWjQPjF91snAAtVbN48xOCe9XJOT ZY/NP86eIJJgRiTTZHXy++GU1u3vGtfjY/PP54ayPrO5Sr2T/U6u/h0WIp9ymcxJr9BA QYUx5+fQ9hYPlnGmj3lNvT/HGSmwtyKpT1skN3F7TSeJHZ1WCljx72+Z4VlQ2tJ0IrKw zRHv2Iiz3L1wCWeuvT0WYNd5RiUfKbEcyrue9CW/WxcuNKV6wNjH1Yxv0rStQSr8xWUK DEP39ZDMUmzSuJSmn/y4ut3OmHY3TIecA5cPdx5tjzxHlp6XOQIugCHLTWuD6z/Aebtn a7hw== X-Forwarded-Encrypted: i=1; AFNElJ+Aukodcup9q6gBV8eDbfQSrKpBg0tG36b6QSvxdceJoWZnLYfCz4A9Y3EVrP+tFnxnsF9rKga5CO4Qaes=@vger.kernel.org X-Gm-Message-State: AOJu0YylDmF19FlZwPQ39cQ779bLX6Wu1uDRUwc14UBaQQN/0e18Ym/m /0e2Rd0TB1190XPaiq+BmOvCtiZ6/+Rjh1LHbDYcaBbPf2/wrd55ncT2 X-Gm-Gg: AeBDievq8+5Deed00OGO1iOwniG+lbn9tt/l3RQ+W/64ZNmeWcCfvOL+QIYqxhA+Nis 34xAnBPPEx6M01x3wzUb3aCCpHJ5Lt/0veYdsGTnLScyrei4ouVr+2J5qJr+dXG83EqhCkXpSJQ 2c5pZbSa0O5TUfcLwrt8q71Ji8schFWzkGvx1M57BjcR/SwzRLYJZfEI64ut8dDb+b388PJyx5Q aRcL39XQVk4EZh9mY0TemL37ktAACt67Mc0u4yEndi9c0R+vYfHvCfVjzsiwSWbZvGa0ouBXf2Z adIWH7BOdQwDzVgc4+dXbWZOAwme14+ujGnSFYw50R57KslIgyoaxaxMRrteAgthWpuBSk85mcB lfBvnC6eX4CPxhWLnKyuw0KtmUzoPY2+0nnREShKwVRgAWYRMtJgro3jVQFD9IWCNQNIOq6f/If FiYPIdrVhQSmbclZfZCl1oFg9z4fD61/KANh0xmmRett9dKN/Wd3PL X-Received: by 2002:a05:6122:1d4c:b0:56a:fff5:b4d6 with SMTP id 71dfb90a1353d-56f3bb66d4cmr10771333e0c.4.1776279353283; Wed, 15 Apr 2026 11:55:53 -0700 (PDT) Received: from localhost.localdomain ([102.244.98.233]) by smtp.gmail.com with ESMTPSA id 71dfb90a1353d-56f89feb56esm1647484e0c.15.2026.04.15.11.55.48 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Wed, 15 Apr 2026 11:55:52 -0700 (PDT) From: Delene Tchio Romuald To: gregkh@linuxfoundation.org Cc: dan.carpenter@linaro.org, error27@gmail.com, luka.gejak@linux.dev, hansg@kernel.org, linux-staging@lists.linux.dev, linux-kernel@vger.kernel.org, stable@vger.kernel.org, Delene Tchio Romuald Subject: [PATCH v4 4/5] staging: rtl8723bs: fix out-of-bounds reads in IE parsing functions Date: Wed, 15 Apr 2026 19:55:00 +0100 Message-ID: <20260415185501.440492-5-delenetchior1@gmail.com> X-Mailer: git-send-email 2.43.0 In-Reply-To: <20260415185501.440492-1-delenetchior1@gmail.com> References: <20260415185501.440492-1-delenetchior1@gmail.com> Precedence: bulk X-Mailing-List: linux-kernel@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 Content-Transfer-Encoding: 8bit rtw_get_wapi_ie(), rtw_get_sec_ie() and rtw_get_wps_ie() walk a buffer of Information Elements using the TLV length field without first verifying that the length byte itself is inside the buffer, and without verifying that the element's declared length fits inside the remaining buffer. Both conditions can be reached with crafted input, causing reads past the end of the buffer. An attacker within WiFi radio range can exploit this by sending crafted beacon or probe-response frames carrying truncated or oversized IEs. No authentication is required. Ensure the length byte is inside the buffer (cnt + 1 < in_len) and break out of the loop if the declared element length would read past in_len. Found by reviewing bounds checks in IE walkers. Not tested on hardware. Fixes: 554c0a3abf216 ("staging: Add rtl8723bs sdio wifi driver") Cc: stable@vger.kernel.org Reviewed-by: Luka Gejak Signed-off-by: Delene Tchio Romuald --- v4: add Fixes: tag and Cc: stable (Dan Carpenter); carry Luka Gejak's Reviewed-by. v3: rebased on staging-next; sent as numbered series with proper Cc from get_maintainer.pl. v2: rebased on staging-next (v1 was based on v7.0-rc6 and did not apply). drivers/staging/rtl8723bs/core/rtw_ieee80211.c | 15 ++++++++++++--- 1 file changed, 12 insertions(+), 3 deletions(-) diff --git a/drivers/staging/rtl8723bs/core/rtw_ieee80211.c b/drivers/staging/rtl8723bs/core/rtw_ieee80211.c index 72b7f731dd471..e0fed3f42de0c 100644 --- a/drivers/staging/rtl8723bs/core/rtw_ieee80211.c +++ b/drivers/staging/rtl8723bs/core/rtw_ieee80211.c @@ -582,9 +582,12 @@ int rtw_get_wapi_ie(u8 *in_ie, uint in_len, u8 *wapi_ie, u16 *wapi_len) cnt = (_TIMESTAMP_ + _BEACON_ITERVAL_ + _CAPABILITY_); - while (cnt < in_len) { + while (cnt + 1 < in_len) { authmode = in_ie[cnt]; + if (cnt + 2 + in_ie[cnt + 1] > in_len) + break; + if (authmode == WLAN_EID_BSS_AC_ACCESS_DELAY && (!memcmp(&in_ie[cnt + 6], wapi_oui1, 4) || !memcmp(&in_ie[cnt + 6], wapi_oui2, 4))) { @@ -615,9 +618,12 @@ void rtw_get_sec_ie(u8 *in_ie, uint in_len, u8 *rsn_ie, u16 *rsn_len, u8 *wpa_ie cnt = (_TIMESTAMP_ + _BEACON_ITERVAL_ + _CAPABILITY_); - while (cnt < in_len) { + while (cnt + 1 < in_len) { authmode = in_ie[cnt]; + if (cnt + 2 + in_ie[cnt + 1] > in_len) + break; + if ((authmode == WLAN_EID_VENDOR_SPECIFIC) && (!memcmp(&in_ie[cnt + 2], &wpa_oui[0], 4))) { if (wpa_ie) @@ -658,9 +664,12 @@ u8 *rtw_get_wps_ie(u8 *in_ie, uint in_len, u8 *wps_ie, uint *wps_ielen) cnt = 0; - while (cnt < in_len) { + while (cnt + 1 < in_len) { eid = in_ie[cnt]; + if (cnt + 2 + in_ie[cnt + 1] > in_len) + break; + if ((eid == WLAN_EID_VENDOR_SPECIFIC) && (!memcmp(&in_ie[cnt + 2], wps_oui, 4))) { wpsie_ptr = &in_ie[cnt]; -- 2.43.0