* [PATCH 1/2] staging: rtl8723bs: fix OOB write in HT_caps_handler()
@ 2026-04-20 14:04 Alexandru Hossu
2026-04-20 14:06 ` Alexandru Hossu
0 siblings, 1 reply; 7+ messages in thread
From: Alexandru Hossu @ 2026-04-20 14:04 UTC (permalink / raw)
To: gregkh; +Cc: linux-staging, linux-kernel, dan.carpenter, Alexandru Hossu
From: Alexandru Hossu <a.hossu@student.tudelft.nl>
HT_caps_handler() iterates pIE->length bytes and writes into
HT_caps.u.HT_cap[], which is a fixed 26-byte array (sizeof struct
HT_caps_element). Because pIE->length is a raw u8 from an over-the-air
802.11 AssocResponse frame and is never validated, a malicious AP can set
it up to 255, causing up to 229 bytes of out-of-bounds writes into
adjacent fields of struct mlme_ext_info.
The parallel function HT_info_handler() already carries the correct guard:
if (pIE->length > sizeof(struct HT_info_element))
return;
Apply the same pattern to HT_caps_handler().
Signed-off-by: Alexandru Hossu <a.hossu@student.tudelft.nl>
---
drivers/staging/rtl8723bs/core/rtw_wlan_util.c | 3 +++
1 file changed, 3 insertions(+)
diff --git a/drivers/staging/rtl8723bs/core/rtw_wlan_util.c b/drivers/staging/rtl8723bs/core/rtw_wlan_util.c
index 6a7c09db4..b75e7f4f8 100644
--- a/drivers/staging/rtl8723bs/core/rtw_wlan_util.c
+++ b/drivers/staging/rtl8723bs/core/rtw_wlan_util.c
@@ -934,6 +934,9 @@ void HT_caps_handler(struct adapter *padapter, struct ndis_80211_var_ie *pIE)
if (phtpriv->ht_option == false)
return;
+ if (pIE->length > sizeof(struct HT_caps_element))
+ return;
+
pmlmeinfo->HT_caps_enable = 1;
for (i = 0; i < (pIE->length); i++) {
--
2.53.0
^ permalink raw reply related [flat|nested] 7+ messages in thread
* Re: [PATCH 1/2] staging: rtl8723bs: fix OOB write in HT_caps_handler()
2026-04-20 14:04 Alexandru Hossu
@ 2026-04-20 14:06 ` Alexandru Hossu
0 siblings, 0 replies; 7+ messages in thread
From: Alexandru Hossu @ 2026-04-20 14:06 UTC (permalink / raw)
To: gregkh; +Cc: linux-staging, linux-kernel, dan.carpenter, Alexandru Hossu
Sorry for the noise — the previous series was sent with the wrong
From/Signed-off-by (university address instead of personal Gmail).
Please ignore patches 1/2 and 2/2 from Message-ID
<20260420140432.150431-1-hossu.alexandru@gmail.com>.
Resending the correct series now.
Alexandru
^ permalink raw reply [flat|nested] 7+ messages in thread
* [PATCH 1/2] staging: rtl8723bs: fix OOB write in HT_caps_handler()
@ 2026-04-20 14:08 Alexandru Hossu
2026-04-20 14:08 ` [PATCH 2/2] staging: rtl8723bs: fix OOB read in OnAssocRsp() IE loop Alexandru Hossu
2026-04-21 14:40 ` [PATCH 1/2] staging: rtl8723bs: fix OOB write in HT_caps_handler() Luka Gejak
0 siblings, 2 replies; 7+ messages in thread
From: Alexandru Hossu @ 2026-04-20 14:08 UTC (permalink / raw)
To: gregkh; +Cc: linux-staging, linux-kernel, dan.carpenter, Alexandru Hossu
HT_caps_handler() iterates pIE->length bytes and writes into
HT_caps.u.HT_cap[], which is a fixed 26-byte array (sizeof struct
HT_caps_element). Because pIE->length is a raw u8 from an over-the-air
802.11 AssocResponse frame and is never validated, a malicious AP can set
it up to 255, causing up to 229 bytes of out-of-bounds writes into
adjacent fields of struct mlme_ext_info.
The parallel function HT_info_handler() already carries the correct guard:
if (pIE->length > sizeof(struct HT_info_element))
return;
Apply the same pattern to HT_caps_handler().
Signed-off-by: Alexandru Hossu <hossu.alexandru@gmail.com>
---
drivers/staging/rtl8723bs/core/rtw_wlan_util.c | 3 +++
1 file changed, 3 insertions(+)
diff --git a/drivers/staging/rtl8723bs/core/rtw_wlan_util.c b/drivers/staging/rtl8723bs/core/rtw_wlan_util.c
index 6a7c09db4..b75e7f4f8 100644
--- a/drivers/staging/rtl8723bs/core/rtw_wlan_util.c
+++ b/drivers/staging/rtl8723bs/core/rtw_wlan_util.c
@@ -934,6 +934,9 @@ void HT_caps_handler(struct adapter *padapter, struct ndis_80211_var_ie *pIE)
if (phtpriv->ht_option == false)
return;
+ if (pIE->length > sizeof(struct HT_caps_element))
+ return;
+
pmlmeinfo->HT_caps_enable = 1;
for (i = 0; i < (pIE->length); i++) {
--
2.53.0
^ permalink raw reply related [flat|nested] 7+ messages in thread
* [PATCH 2/2] staging: rtl8723bs: fix OOB read in OnAssocRsp() IE loop
2026-04-20 14:08 [PATCH 1/2] staging: rtl8723bs: fix OOB write in HT_caps_handler() Alexandru Hossu
@ 2026-04-20 14:08 ` Alexandru Hossu
2026-04-21 14:43 ` Luka Gejak
2026-04-21 14:40 ` [PATCH 1/2] staging: rtl8723bs: fix OOB write in HT_caps_handler() Luka Gejak
1 sibling, 1 reply; 7+ messages in thread
From: Alexandru Hossu @ 2026-04-20 14:08 UTC (permalink / raw)
To: gregkh; +Cc: linux-staging, linux-kernel, dan.carpenter, Alexandru Hossu
The IE parsing loop in OnAssocRsp() advances by (pIE->length + 2) each
iteration but only guards on i < pkt_len. When a malicious AP sends an
AssocResponse whose last IE has only one byte remaining in the frame (the
element_id byte lands at pkt_len-1), the loop reads pIE->length from
pframe[pkt_len], which is one byte past the allocated receive buffer.
Additionally, even when the header bytes are in bounds, pIE->length itself
can extend the data window beyond pkt_len, silently passing a truncated IE
to the handler functions.
Add two guards at the top of the loop body:
1. Break if fewer than sizeof(*pIE) bytes remain (can't read the header).
2. Break if the IE's declared data extends past pkt_len.
Signed-off-by: Alexandru Hossu <hossu.alexandru@gmail.com>
---
drivers/staging/rtl8723bs/core/rtw_mlme_ext.c | 4 ++++
1 file changed, 4 insertions(+)
diff --git a/drivers/staging/rtl8723bs/core/rtw_mlme_ext.c b/drivers/staging/rtl8723bs/core/rtw_mlme_ext.c
index 5f00fe282..9666226a6 100644
--- a/drivers/staging/rtl8723bs/core/rtw_mlme_ext.c
+++ b/drivers/staging/rtl8723bs/core/rtw_mlme_ext.c
@@ -1400,7 +1400,11 @@ unsigned int OnAssocRsp(struct adapter *padapter, union recv_frame *precv_frame)
/* to handle HT, WMM, rate adaptive, update MAC reg */
/* for not to handle the synchronous IO in the tasklet */
for (i = (6 + WLAN_HDR_A3_LEN); i < pkt_len;) {
+ if (i + sizeof(*pIE) > pkt_len)
+ break;
pIE = (struct ndis_80211_var_ie *)(pframe + i);
+ if (i + sizeof(*pIE) + pIE->length > pkt_len)
+ break;
switch (pIE->element_id) {
case WLAN_EID_VENDOR_SPECIFIC:
--
2.53.0
^ permalink raw reply related [flat|nested] 7+ messages in thread
* Re: [PATCH 1/2] staging: rtl8723bs: fix OOB write in HT_caps_handler()
2026-04-20 14:08 [PATCH 1/2] staging: rtl8723bs: fix OOB write in HT_caps_handler() Alexandru Hossu
2026-04-20 14:08 ` [PATCH 2/2] staging: rtl8723bs: fix OOB read in OnAssocRsp() IE loop Alexandru Hossu
@ 2026-04-21 14:40 ` Luka Gejak
2026-04-21 14:45 ` Luka Gejak
1 sibling, 1 reply; 7+ messages in thread
From: Luka Gejak @ 2026-04-21 14:40 UTC (permalink / raw)
To: Alexandru Hossu, gregkh; +Cc: linux-staging, linux-kernel, dan.carpenter
On Mon Apr 20, 2026 at 4:08 PM CEST, Alexandru Hossu wrote:
> HT_caps_handler() iterates pIE->length bytes and writes into
> HT_caps.u.HT_cap[], which is a fixed 26-byte array (sizeof struct
> HT_caps_element). Because pIE->length is a raw u8 from an over-the-air
> 802.11 AssocResponse frame and is never validated, a malicious AP can set
> it up to 255, causing up to 229 bytes of out-of-bounds writes into
> adjacent fields of struct mlme_ext_info.
>
> The parallel function HT_info_handler() already carries the correct guard:
>
> if (pIE->length > sizeof(struct HT_info_element))
> return;
>
> Apply the same pattern to HT_caps_handler().
>
> Signed-off-by: Alexandru Hossu <hossu.alexandru@gmail.com>
> ---
> drivers/staging/rtl8723bs/core/rtw_wlan_util.c | 3 +++
> 1 file changed, 3 insertions(+)
>
> diff --git a/drivers/staging/rtl8723bs/core/rtw_wlan_util.c b/drivers/staging/rtl8723bs/core/rtw_wlan_util.c
> index 6a7c09db4..b75e7f4f8 100644
> --- a/drivers/staging/rtl8723bs/core/rtw_wlan_util.c
> +++ b/drivers/staging/rtl8723bs/core/rtw_wlan_util.c
> @@ -934,6 +934,9 @@ void HT_caps_handler(struct adapter *padapter, struct ndis_80211_var_ie *pIE)
> if (phtpriv->ht_option == false)
> return;
>
> + if (pIE->length > sizeof(struct HT_caps_element))
> + return;
> +
> pmlmeinfo->HT_caps_enable = 1;
>
> for (i = 0; i < (pIE->length); i++) {
Hi Alexandru,
this fix has been made already by Greg HK therefore this patch is
unnecessary. You can see his patch at [1].
Best regards,
Luka Gejak
[1]: https://lore.kernel.org/linux-staging/2026041408-grill-mahogany-d1e3@gregkh/
^ permalink raw reply [flat|nested] 7+ messages in thread
* Re: [PATCH 2/2] staging: rtl8723bs: fix OOB read in OnAssocRsp() IE loop
2026-04-20 14:08 ` [PATCH 2/2] staging: rtl8723bs: fix OOB read in OnAssocRsp() IE loop Alexandru Hossu
@ 2026-04-21 14:43 ` Luka Gejak
0 siblings, 0 replies; 7+ messages in thread
From: Luka Gejak @ 2026-04-21 14:43 UTC (permalink / raw)
To: Alexandru Hossu, gregkh; +Cc: linux-staging, linux-kernel, dan.carpenter
On Mon Apr 20, 2026 at 4:08 PM CEST, Alexandru Hossu wrote:
> The IE parsing loop in OnAssocRsp() advances by (pIE->length + 2) each
> iteration but only guards on i < pkt_len. When a malicious AP sends an
> AssocResponse whose last IE has only one byte remaining in the frame (the
> element_id byte lands at pkt_len-1), the loop reads pIE->length from
> pframe[pkt_len], which is one byte past the allocated receive buffer.
>
> Additionally, even when the header bytes are in bounds, pIE->length itself
> can extend the data window beyond pkt_len, silently passing a truncated IE
> to the handler functions.
>
> Add two guards at the top of the loop body:
> 1. Break if fewer than sizeof(*pIE) bytes remain (can't read the header).
> 2. Break if the IE's declared data extends past pkt_len.
>
> Signed-off-by: Alexandru Hossu <hossu.alexandru@gmail.com>
> ---
> drivers/staging/rtl8723bs/core/rtw_mlme_ext.c | 4 ++++
> 1 file changed, 4 insertions(+)
>
> diff --git a/drivers/staging/rtl8723bs/core/rtw_mlme_ext.c b/drivers/staging/rtl8723bs/core/rtw_mlme_ext.c
> index 5f00fe282..9666226a6 100644
> --- a/drivers/staging/rtl8723bs/core/rtw_mlme_ext.c
> +++ b/drivers/staging/rtl8723bs/core/rtw_mlme_ext.c
> @@ -1400,7 +1400,11 @@ unsigned int OnAssocRsp(struct adapter *padapter, union recv_frame *precv_frame)
> /* to handle HT, WMM, rate adaptive, update MAC reg */
> /* for not to handle the synchronous IO in the tasklet */
> for (i = (6 + WLAN_HDR_A3_LEN); i < pkt_len;) {
> + if (i + sizeof(*pIE) > pkt_len)
> + break;
> pIE = (struct ndis_80211_var_ie *)(pframe + i);
> + if (i + sizeof(*pIE) + pIE->length > pkt_len)
> + break;
>
> switch (pIE->element_id) {
> case WLAN_EID_VENDOR_SPECIFIC:
LGTM.
Reviewed-by: Luka Gejak <luka.gejak@linux.dev>
Best regards,
Luka Gejak
^ permalink raw reply [flat|nested] 7+ messages in thread
* Re: [PATCH 1/2] staging: rtl8723bs: fix OOB write in HT_caps_handler()
2026-04-21 14:40 ` [PATCH 1/2] staging: rtl8723bs: fix OOB write in HT_caps_handler() Luka Gejak
@ 2026-04-21 14:45 ` Luka Gejak
0 siblings, 0 replies; 7+ messages in thread
From: Luka Gejak @ 2026-04-21 14:45 UTC (permalink / raw)
To: Luka Gejak, Alexandru Hossu, gregkh
Cc: linux-staging, linux-kernel, dan.carpenter
On Tue Apr 21, 2026 at 4:40 PM CEST, Luka Gejak wrote:
> On Mon Apr 20, 2026 at 4:08 PM CEST, Alexandru Hossu wrote:
>> HT_caps_handler() iterates pIE->length bytes and writes into
>> HT_caps.u.HT_cap[], which is a fixed 26-byte array (sizeof struct
>> HT_caps_element). Because pIE->length is a raw u8 from an over-the-air
>> 802.11 AssocResponse frame and is never validated, a malicious AP can set
>> it up to 255, causing up to 229 bytes of out-of-bounds writes into
>> adjacent fields of struct mlme_ext_info.
>>
>> The parallel function HT_info_handler() already carries the correct guard:
>>
>> if (pIE->length > sizeof(struct HT_info_element))
>> return;
>>
>> Apply the same pattern to HT_caps_handler().
>>
>> Signed-off-by: Alexandru Hossu <hossu.alexandru@gmail.com>
>> ---
>> drivers/staging/rtl8723bs/core/rtw_wlan_util.c | 3 +++
>> 1 file changed, 3 insertions(+)
>>
>> diff --git a/drivers/staging/rtl8723bs/core/rtw_wlan_util.c b/drivers/staging/rtl8723bs/core/rtw_wlan_util.c
>> index 6a7c09db4..b75e7f4f8 100644
>> --- a/drivers/staging/rtl8723bs/core/rtw_wlan_util.c
>> +++ b/drivers/staging/rtl8723bs/core/rtw_wlan_util.c
>> @@ -934,6 +934,9 @@ void HT_caps_handler(struct adapter *padapter, struct ndis_80211_var_ie *pIE)
>> if (phtpriv->ht_option == false)
>> return;
>>
>> + if (pIE->length > sizeof(struct HT_caps_element))
>> + return;
>> +
>> pmlmeinfo->HT_caps_enable = 1;
>>
>> for (i = 0; i < (pIE->length); i++) {
>
> Hi Alexandru,
> this fix has been made already by Greg HK therefore this patch is
^^^^ *KH (Kroah-Hartman)
> unnecessary. You can see his patch at [1].
> Best regards,
> Luka Gejak
>
> [1]: https://lore.kernel.org/linux-staging/2026041408-grill-mahogany-d1e3@gregkh/
^ permalink raw reply [flat|nested] 7+ messages in thread
end of thread, other threads:[~2026-04-21 14:45 UTC | newest]
Thread overview: 7+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2026-04-20 14:08 [PATCH 1/2] staging: rtl8723bs: fix OOB write in HT_caps_handler() Alexandru Hossu
2026-04-20 14:08 ` [PATCH 2/2] staging: rtl8723bs: fix OOB read in OnAssocRsp() IE loop Alexandru Hossu
2026-04-21 14:43 ` Luka Gejak
2026-04-21 14:40 ` [PATCH 1/2] staging: rtl8723bs: fix OOB write in HT_caps_handler() Luka Gejak
2026-04-21 14:45 ` Luka Gejak
-- strict thread matches above, loose matches on Subject: below --
2026-04-20 14:04 Alexandru Hossu
2026-04-20 14:06 ` Alexandru Hossu
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox