From mboxrd@z Thu Jan 1 00:00:00 1970 Received: from mail-vs1-f46.google.com (mail-vs1-f46.google.com [209.85.217.46]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id 5E861371068 for ; Fri, 17 Apr 2026 06:12:30 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=209.85.217.46 ARC-Seal:i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1776406351; cv=none; b=RaHypBMUPm1d/kwHUaP4DclB26+81CVyNg0TniZWGvVHhglnh6dno4+HTs518kPzm7BFvNx91cwsONPw3lFO0+MDU/7cx+GAn6KGxWBpkA3bVYL2gqNTgqEdd5h3oKX0qM2aum4z1UulzaNptoD2B6HHom3+Cc+0Ae9+KfqPDAI= ARC-Message-Signature:i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1776406351; c=relaxed/simple; bh=383DPhuBRF2QD41DluR/ZrbwJ45uuKmVigIRiLoVWL0=; h=From:To:Cc:Subject:Date:Message-ID:In-Reply-To:References: MIME-Version; b=Odlr8b1AgFbFp/U60Vayy1SnE6Qt3xFzYdxvqlovk76Pv7hR2kdhhdKgH35i0qBC13DT/zPJL/ZJpT1nWbpCX/MNqW/E+66E7pS7gS1Echd7ZlRglzAwDhTUauaV7/N2rJsETBi2JNL3A21gu7BSPa8Acvi/uTrjDPjXjSl6ew4= ARC-Authentication-Results:i=1; smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=gmail.com; spf=pass smtp.mailfrom=gmail.com; dkim=pass (2048-bit key) header.d=gmail.com header.i=@gmail.com header.b=DTZcv+lw; arc=none smtp.client-ip=209.85.217.46 Authentication-Results: smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=gmail.com Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=gmail.com Authentication-Results: smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=gmail.com header.i=@gmail.com header.b="DTZcv+lw" Received: by mail-vs1-f46.google.com with SMTP id ada2fe7eead31-5ff05af29b4so98882137.1 for ; Thu, 16 Apr 2026 23:12:30 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20251104; t=1776406349; x=1777011149; darn=vger.kernel.org; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:from:to:cc:subject:date :message-id:reply-to; bh=9SwebIuwdOWzOTm6KMf4wXBgHNPaHunXqUFUotpGec4=; b=DTZcv+lwfi0a6pViIFroMHD6x3u2VAbsDPsxeUW4Dda2pOtCdh2WO95LkC3m+/cYA/ /QqbxXcxUml3CztMm5gMtsQOt694NfDCq2ByhckeXvt2bjHmr7hDwjVR9dlnrCjnlElp 1uO+6kaqh3LO+GluztVu+nzOiDut6sTX9AWaeOxMRXECVBhEy0o/EGa0BACTUkM+qXP2 0Umqv/LLV1pg5BIrx/XFPzvCZ7GX8wtBLFjhZYFDED2AGHqhEQ0zcvaRi+vSWkODrPXi IL7mrhfwH/g1UHcRDW1tIslumaN5ZuZ+7Fotjc0PbwYU03Ez3h0cyFFz0LGnIiMdeHLv mgrQ== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20251104; t=1776406349; x=1777011149; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:x-gm-gg:x-gm-message-state:from :to:cc:subject:date:message-id:reply-to; bh=9SwebIuwdOWzOTm6KMf4wXBgHNPaHunXqUFUotpGec4=; b=rToIqiPKLyWstYuXvdb4J+xYayoAvhtp4MD7AYCesn512JlH5Vjg2Rf+PMj3VV/Aah VgtW1Y1FTYJRwpPXlNk3H84zjIovC4qs4rDunE9ZASKYa0pOaucitQ0kn2/xRq4i00I7 7iCG0GLzcEXvjU0uoj/QVS6h56Jo4mb9ODiVYpmZ0pH2D8ArDmt2KLdxF6feFpo/Pil4 3Pjkvc9u/Rtn8DXmRGECkscYmWfCHIEXULzZEpauLU5QxGAYm3B3+VWHcYpoepaXix2g 0rsQqsIv8ZAHjrMY6rOvZsV9VrYQEGTG4osSJU1+G5l4lVn00ZbMPhclrKB6Nghrmtba 1uVQ== X-Forwarded-Encrypted: i=1; AFNElJ/Z4K55KqLbDPpO6n+m+Kt+rKVQKURgmkThRRKhQIzoJAD66/BY75rCZC7WDWq4Dpk4ds9okyWtkNSKVk0=@vger.kernel.org X-Gm-Message-State: AOJu0Yxr5mvUm7+QLmmqSMPLsNb7GZgOWKPbDRGOh5/WKDl3tLZKpOW3 Z9j7sUk61Bvd9T5Qy0kTn8mewHeftIbTN4qCZC1QItVI5aYjbO9L9BvM X-Gm-Gg: AeBDiesolnmSN7hNf9PBUiSy+M3kczdAC+N+GfPRc+D5Dr50G0knKOAUU69Dw1nyTHK YVaMPaQF0PuyK/4XHleAZ2rdt7fRIF1PbiMTNmqvwBi+WGmYHIGYKzYzykkgiWC21GsVBsth3oC w4eyyVcSrSuvGwX3gNTOYHnE1pWaFjEr07WyDKn/hMDYqeii+IF8fhQVz1ZORyvY91NjoVvrwZr LfENENe+8vwkrd1jaT7iZTU+rJ0lfWHvtjs329fQjJD1qLoTOEibSAfHpssIFtlg3bCqAqdPh8y JR5MvgDDiHIj/2/9nGhUn2ofwsrjj3fWrQ7g9lzOgU/aqoWb4E0Klhi2epWcud3AGR+FCcQ/0ae 95wxH6gdR5cZtx1HRnrF7U6ClZkTYJN/vWQAgcs6byonC4u/LayIsQnyIwcX9ks3XorhnliYo9A Hs5eP2HpfZbGXllb3+KrzITVXBHar71S4uHortJntQ5RJ5cMyWE7ifvd5GpkmLI9E= X-Received: by 2002:a05:6102:2ad3:b0:605:b96a:a0d4 with SMTP id ada2fe7eead31-616f8fdbdbdmr504002137.27.1776406349142; Thu, 16 Apr 2026 23:12:29 -0700 (PDT) Received: from localhost.localdomain ([102.244.98.124]) by smtp.gmail.com with ESMTPSA id a1e0cc1a2514c-9589093a8bbsm297947241.3.2026.04.16.23.12.24 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Thu, 16 Apr 2026 23:12:28 -0700 (PDT) From: Delene Tchio Romuald To: gregkh@linuxfoundation.org Cc: error27@gmail.com, luka.gejak@linux.dev, hansg@kernel.org, linux-staging@lists.linux.dev, linux-kernel@vger.kernel.org, stable@vger.kernel.org, Delene Tchio Romuald Subject: [PATCH v6 4/5] staging: rtl8723bs: fix out-of-bounds reads in IE parsing functions Date: Fri, 17 Apr 2026 07:10:47 +0100 Message-ID: <20260417061048.62484-5-delenetchior1@gmail.com> X-Mailer: git-send-email 2.43.0 In-Reply-To: <20260417061048.62484-1-delenetchior1@gmail.com> References: <20260417061048.62484-1-delenetchior1@gmail.com> Precedence: bulk X-Mailing-List: linux-kernel@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 Content-Transfer-Encoding: 8bit rtw_get_wapi_ie(), rtw_get_sec_ie() and rtw_get_wps_ie() walk a buffer of Information Elements using the TLV length field without first verifying that the length byte itself is inside the buffer, and without verifying that the specific bytes dereferenced by the subsequent memcmp() calls fit inside the declared element. An attacker within WiFi radio range can exploit this by sending crafted beacon or probe-response frames carrying truncated or oversized IEs. No authentication is required. Ensure the length byte is inside the buffer (cnt + 1 < in_len), break out of the loop if the declared element length would read past in_len, and before each memcmp() verify that the offsets it touches are inside the buffer: cnt + 10 for the WAPI OUI compared at offset 6, and cnt + 6 for the WPA/WPS OUIs compared at offset 2. Found by reviewing bounds checks in IE walkers. Not tested on hardware. Fixes: 554c0a3abf216 ("staging: Add rtl8723bs sdio wifi driver") Cc: stable@vger.kernel.org Signed-off-by: Delene Tchio Romuald --- v6: unchanged. v5: add an inner bound check before each memcmp() so that the OUI read at offset 6 (WAPI) or offset 2 (WPA/WPS) stays inside the declared element (Dan Carpenter). v4: add Fixes: tag and Cc: stable (Dan Carpenter). v3: rebased on staging-next; sent as numbered series with proper Cc from get_maintainer.pl. v2: rebased on staging-next (v1 was based on v7.0-rc6 and did not apply). .../staging/rtl8723bs/core/rtw_ieee80211.c | 70 +++++++++++++------ 1 file changed, 47 insertions(+), 23 deletions(-) diff --git a/drivers/staging/rtl8723bs/core/rtw_ieee80211.c b/drivers/staging/rtl8723bs/core/rtw_ieee80211.c index 72b7f731dd471..1b61879acb48e 100644 --- a/drivers/staging/rtl8723bs/core/rtw_ieee80211.c +++ b/drivers/staging/rtl8723bs/core/rtw_ieee80211.c @@ -582,18 +582,25 @@ int rtw_get_wapi_ie(u8 *in_ie, uint in_len, u8 *wapi_ie, u16 *wapi_len) cnt = (_TIMESTAMP_ + _BEACON_ITERVAL_ + _CAPABILITY_); - while (cnt < in_len) { + while (cnt + 1 < in_len) { authmode = in_ie[cnt]; - if (authmode == WLAN_EID_BSS_AC_ACCESS_DELAY && - (!memcmp(&in_ie[cnt + 6], wapi_oui1, 4) || - !memcmp(&in_ie[cnt + 6], wapi_oui2, 4))) { - if (wapi_ie) - memcpy(wapi_ie, &in_ie[cnt], in_ie[cnt + 1] + 2); + if (cnt + 2 + in_ie[cnt + 1] > in_len) + break; + + if (authmode == WLAN_EID_BSS_AC_ACCESS_DELAY) { + if (cnt + 10 > in_len) + break; - if (wapi_len) - *wapi_len = in_ie[cnt + 1] + 2; + if (!memcmp(&in_ie[cnt + 6], wapi_oui1, 4) || + !memcmp(&in_ie[cnt + 6], wapi_oui2, 4)) { + if (wapi_ie) + memcpy(wapi_ie, &in_ie[cnt], + in_ie[cnt + 1] + 2); + if (wapi_len) + *wapi_len = in_ie[cnt + 1] + 2; + } } cnt += in_ie[cnt + 1] + 2; /* get next */ @@ -615,15 +622,23 @@ void rtw_get_sec_ie(u8 *in_ie, uint in_len, u8 *rsn_ie, u16 *rsn_len, u8 *wpa_ie cnt = (_TIMESTAMP_ + _BEACON_ITERVAL_ + _CAPABILITY_); - while (cnt < in_len) { + while (cnt + 1 < in_len) { authmode = in_ie[cnt]; - if ((authmode == WLAN_EID_VENDOR_SPECIFIC) && - (!memcmp(&in_ie[cnt + 2], &wpa_oui[0], 4))) { - if (wpa_ie) - memcpy(wpa_ie, &in_ie[cnt], in_ie[cnt + 1] + 2); + if (cnt + 2 + in_ie[cnt + 1] > in_len) + break; + + if (authmode == WLAN_EID_VENDOR_SPECIFIC) { + if (cnt + 6 > in_len) + break; + + if (!memcmp(&in_ie[cnt + 2], &wpa_oui[0], 4)) { + if (wpa_ie) + memcpy(wpa_ie, &in_ie[cnt], + in_ie[cnt + 1] + 2); - *wpa_len = in_ie[cnt + 1] + 2; + *wpa_len = in_ie[cnt + 1] + 2; + } } else if (authmode == WLAN_EID_RSN) { if (rsn_ie) memcpy(rsn_ie, &in_ie[cnt], in_ie[cnt + 1] + 2); @@ -658,21 +673,30 @@ u8 *rtw_get_wps_ie(u8 *in_ie, uint in_len, u8 *wps_ie, uint *wps_ielen) cnt = 0; - while (cnt < in_len) { + while (cnt + 1 < in_len) { eid = in_ie[cnt]; - if ((eid == WLAN_EID_VENDOR_SPECIFIC) && (!memcmp(&in_ie[cnt + 2], wps_oui, 4))) { - wpsie_ptr = &in_ie[cnt]; + if (cnt + 2 + in_ie[cnt + 1] > in_len) + break; - if (wps_ie) - memcpy(wps_ie, &in_ie[cnt], in_ie[cnt + 1] + 2); + if (eid == WLAN_EID_VENDOR_SPECIFIC) { + if (cnt + 6 > in_len) + break; - if (wps_ielen) - *wps_ielen = in_ie[cnt + 1] + 2; + if (!memcmp(&in_ie[cnt + 2], wps_oui, 4)) { + wpsie_ptr = &in_ie[cnt]; - cnt += in_ie[cnt + 1] + 2; + if (wps_ie) + memcpy(wps_ie, &in_ie[cnt], + in_ie[cnt + 1] + 2); - break; + if (wps_ielen) + *wps_ielen = in_ie[cnt + 1] + 2; + + cnt += in_ie[cnt + 1] + 2; + + break; + } } cnt += in_ie[cnt + 1] + 2; /* goto next */ } -- 2.43.0