* [PATCH 1/2] staging: rtl8723bs: fix OOB write in HT_caps_handler()
@ 2026-04-20 14:04 Alexandru Hossu
2026-04-20 14:04 ` [PATCH 2/2] staging: rtl8723bs: fix OOB read in OnAssocRsp() IE loop Alexandru Hossu
2026-04-20 14:06 ` [PATCH 1/2] staging: rtl8723bs: fix OOB write in HT_caps_handler() Alexandru Hossu
0 siblings, 2 replies; 4+ messages in thread
From: Alexandru Hossu @ 2026-04-20 14:04 UTC (permalink / raw)
To: gregkh; +Cc: linux-staging, linux-kernel, dan.carpenter, Alexandru Hossu
From: Alexandru Hossu <a.hossu@student.tudelft.nl>
HT_caps_handler() iterates pIE->length bytes and writes into
HT_caps.u.HT_cap[], which is a fixed 26-byte array (sizeof struct
HT_caps_element). Because pIE->length is a raw u8 from an over-the-air
802.11 AssocResponse frame and is never validated, a malicious AP can set
it up to 255, causing up to 229 bytes of out-of-bounds writes into
adjacent fields of struct mlme_ext_info.
The parallel function HT_info_handler() already carries the correct guard:
if (pIE->length > sizeof(struct HT_info_element))
return;
Apply the same pattern to HT_caps_handler().
Signed-off-by: Alexandru Hossu <a.hossu@student.tudelft.nl>
---
drivers/staging/rtl8723bs/core/rtw_wlan_util.c | 3 +++
1 file changed, 3 insertions(+)
diff --git a/drivers/staging/rtl8723bs/core/rtw_wlan_util.c b/drivers/staging/rtl8723bs/core/rtw_wlan_util.c
index 6a7c09db4..b75e7f4f8 100644
--- a/drivers/staging/rtl8723bs/core/rtw_wlan_util.c
+++ b/drivers/staging/rtl8723bs/core/rtw_wlan_util.c
@@ -934,6 +934,9 @@ void HT_caps_handler(struct adapter *padapter, struct ndis_80211_var_ie *pIE)
if (phtpriv->ht_option == false)
return;
+ if (pIE->length > sizeof(struct HT_caps_element))
+ return;
+
pmlmeinfo->HT_caps_enable = 1;
for (i = 0; i < (pIE->length); i++) {
--
2.53.0
^ permalink raw reply related [flat|nested] 4+ messages in thread
* [PATCH 2/2] staging: rtl8723bs: fix OOB read in OnAssocRsp() IE loop
2026-04-20 14:04 [PATCH 1/2] staging: rtl8723bs: fix OOB write in HT_caps_handler() Alexandru Hossu
@ 2026-04-20 14:04 ` Alexandru Hossu
2026-04-20 14:06 ` [PATCH 1/2] staging: rtl8723bs: fix OOB write in HT_caps_handler() Alexandru Hossu
1 sibling, 0 replies; 4+ messages in thread
From: Alexandru Hossu @ 2026-04-20 14:04 UTC (permalink / raw)
To: gregkh; +Cc: linux-staging, linux-kernel, dan.carpenter, Alexandru Hossu
From: Alexandru Hossu <a.hossu@student.tudelft.nl>
The IE parsing loop in OnAssocRsp() advances by (pIE->length + 2) each
iteration but only guards on i < pkt_len. When a malicious AP sends an
AssocResponse whose last IE has only one byte remaining in the frame (the
element_id byte lands at pkt_len-1), the loop reads pIE->length from
pframe[pkt_len], which is one byte past the allocated receive buffer.
Additionally, even when the header bytes are in bounds, pIE->length itself
can extend the data window beyond pkt_len, silently passing a truncated IE
to the handler functions.
Add two guards at the top of the loop body:
1. Break if fewer than sizeof(*pIE) bytes remain (can't read the header).
2. Break if the IE's declared data extends past pkt_len.
Signed-off-by: Alexandru Hossu <a.hossu@student.tudelft.nl>
---
drivers/staging/rtl8723bs/core/rtw_mlme_ext.c | 4 ++++
1 file changed, 4 insertions(+)
diff --git a/drivers/staging/rtl8723bs/core/rtw_mlme_ext.c b/drivers/staging/rtl8723bs/core/rtw_mlme_ext.c
index 5f00fe282..9666226a6 100644
--- a/drivers/staging/rtl8723bs/core/rtw_mlme_ext.c
+++ b/drivers/staging/rtl8723bs/core/rtw_mlme_ext.c
@@ -1400,7 +1400,11 @@ unsigned int OnAssocRsp(struct adapter *padapter, union recv_frame *precv_frame)
/* to handle HT, WMM, rate adaptive, update MAC reg */
/* for not to handle the synchronous IO in the tasklet */
for (i = (6 + WLAN_HDR_A3_LEN); i < pkt_len;) {
+ if (i + sizeof(*pIE) > pkt_len)
+ break;
pIE = (struct ndis_80211_var_ie *)(pframe + i);
+ if (i + sizeof(*pIE) + pIE->length > pkt_len)
+ break;
switch (pIE->element_id) {
case WLAN_EID_VENDOR_SPECIFIC:
--
2.53.0
^ permalink raw reply related [flat|nested] 4+ messages in thread
* Re: [PATCH 1/2] staging: rtl8723bs: fix OOB write in HT_caps_handler()
2026-04-20 14:04 [PATCH 1/2] staging: rtl8723bs: fix OOB write in HT_caps_handler() Alexandru Hossu
2026-04-20 14:04 ` [PATCH 2/2] staging: rtl8723bs: fix OOB read in OnAssocRsp() IE loop Alexandru Hossu
@ 2026-04-20 14:06 ` Alexandru Hossu
1 sibling, 0 replies; 4+ messages in thread
From: Alexandru Hossu @ 2026-04-20 14:06 UTC (permalink / raw)
To: gregkh; +Cc: linux-staging, linux-kernel, dan.carpenter, Alexandru Hossu
Sorry for the noise — the previous series was sent with the wrong
From/Signed-off-by (university address instead of personal Gmail).
Please ignore patches 1/2 and 2/2 from Message-ID
<20260420140432.150431-1-hossu.alexandru@gmail.com>.
Resending the correct series now.
Alexandru
^ permalink raw reply [flat|nested] 4+ messages in thread
* [PATCH 1/2] staging: rtl8723bs: fix OOB write in HT_caps_handler()
@ 2026-04-20 14:08 Alexandru Hossu
0 siblings, 0 replies; 4+ messages in thread
From: Alexandru Hossu @ 2026-04-20 14:08 UTC (permalink / raw)
To: gregkh; +Cc: linux-staging, linux-kernel, dan.carpenter, Alexandru Hossu
HT_caps_handler() iterates pIE->length bytes and writes into
HT_caps.u.HT_cap[], which is a fixed 26-byte array (sizeof struct
HT_caps_element). Because pIE->length is a raw u8 from an over-the-air
802.11 AssocResponse frame and is never validated, a malicious AP can set
it up to 255, causing up to 229 bytes of out-of-bounds writes into
adjacent fields of struct mlme_ext_info.
The parallel function HT_info_handler() already carries the correct guard:
if (pIE->length > sizeof(struct HT_info_element))
return;
Apply the same pattern to HT_caps_handler().
Signed-off-by: Alexandru Hossu <hossu.alexandru@gmail.com>
---
drivers/staging/rtl8723bs/core/rtw_wlan_util.c | 3 +++
1 file changed, 3 insertions(+)
diff --git a/drivers/staging/rtl8723bs/core/rtw_wlan_util.c b/drivers/staging/rtl8723bs/core/rtw_wlan_util.c
index 6a7c09db4..b75e7f4f8 100644
--- a/drivers/staging/rtl8723bs/core/rtw_wlan_util.c
+++ b/drivers/staging/rtl8723bs/core/rtw_wlan_util.c
@@ -934,6 +934,9 @@ void HT_caps_handler(struct adapter *padapter, struct ndis_80211_var_ie *pIE)
if (phtpriv->ht_option == false)
return;
+ if (pIE->length > sizeof(struct HT_caps_element))
+ return;
+
pmlmeinfo->HT_caps_enable = 1;
for (i = 0; i < (pIE->length); i++) {
--
2.53.0
^ permalink raw reply related [flat|nested] 4+ messages in thread
end of thread, other threads:[~2026-04-20 14:09 UTC | newest]
Thread overview: 4+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2026-04-20 14:04 [PATCH 1/2] staging: rtl8723bs: fix OOB write in HT_caps_handler() Alexandru Hossu
2026-04-20 14:04 ` [PATCH 2/2] staging: rtl8723bs: fix OOB read in OnAssocRsp() IE loop Alexandru Hossu
2026-04-20 14:06 ` [PATCH 1/2] staging: rtl8723bs: fix OOB write in HT_caps_handler() Alexandru Hossu
-- strict thread matches above, loose matches on Subject: below --
2026-04-20 14:08 Alexandru Hossu
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox