From mboxrd@z Thu Jan 1 00:00:00 1970 Received: from out-189.mta0.migadu.com (out-189.mta0.migadu.com [91.218.175.189]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id DC46C1F151C for ; Tue, 21 Apr 2026 14:40:34 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=91.218.175.189 ARC-Seal:i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1776782436; cv=none; b=hC2/eIq9sfOCOB/m344hYygwvYr4eIoPLWw46pWimwnXbGz42UKGpol0k71VLtuwcvqpqTCJos+1Vg55FPXQASWs4p9T1Sr9UshVW2MLkMJVR5BYIzSb0NKDVQ3NkKqCaZcIYro2+rqmEKlGFRjeFTvyTKe7ossGsuh4oz+9icM= ARC-Message-Signature:i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1776782436; c=relaxed/simple; bh=5wG+APcr1JHd2EGxAPouI6P2F4hukwcRnB9UdasgeiA=; h=Mime-Version:Content-Type:Date:Message-Id:Cc:Subject:From:To: References:In-Reply-To; b=OPk9n2mLhR+jtch2tsMQqqFrgnwkH7rnS/j7YzAkbjIl16jAQSI2pDXb374O2fs+zg5PueqxF2uBZCxjAPHSi3SZkeioOPcCHfnnK/Z7BKR5oJXyC+VOVgue1eMMXBwUshYBfQB6DmSd8gmgNsfVRePtmuBsvgch8mu6OiIaixM= ARC-Authentication-Results:i=1; smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=linux.dev; spf=pass smtp.mailfrom=linux.dev; dkim=pass (1024-bit key) header.d=linux.dev header.i=@linux.dev header.b=ouY+AbAF; arc=none smtp.client-ip=91.218.175.189 Authentication-Results: smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=linux.dev Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=linux.dev Authentication-Results: smtp.subspace.kernel.org; dkim=pass (1024-bit key) header.d=linux.dev header.i=@linux.dev header.b="ouY+AbAF" Precedence: bulk X-Mailing-List: linux-kernel@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: Mime-Version: 1.0 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=linux.dev; s=key1; t=1776782423; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references; bh=bkWWTbkGz55P2NNqlDb4FkohGArD1vj/VXxtGWQCjLU=; b=ouY+AbAFvdkRw/JQvHH//woEP9PfnSNApzfIyAHpDj4TV0gXoip6D3qGKeIYYGhfpYalIZ Rq7LJUikNHufBDuM4YJldR2Dd/0ubIcYBcyQPfal5lzDnfe4xnihhuP1cMa/zxAkBDsyaI V12T+Ylp2Z1hLwumadu292Cesd0zz50= Content-Transfer-Encoding: quoted-printable Content-Type: text/plain; charset=UTF-8 Date: Tue, 21 Apr 2026 16:40:17 +0200 Message-Id: Cc: , , Subject: Re: [PATCH 1/2] staging: rtl8723bs: fix OOB write in HT_caps_handler() X-Report-Abuse: Please report any abuse attempt to abuse@migadu.com and include these headers. From: "Luka Gejak" To: "Alexandru Hossu" , References: <20260420140807.152739-1-hossu.alexandru@gmail.com> In-Reply-To: <20260420140807.152739-1-hossu.alexandru@gmail.com> X-Migadu-Flow: FLOW_OUT On Mon Apr 20, 2026 at 4:08 PM CEST, Alexandru Hossu wrote: > HT_caps_handler() iterates pIE->length bytes and writes into > HT_caps.u.HT_cap[], which is a fixed 26-byte array (sizeof struct > HT_caps_element). Because pIE->length is a raw u8 from an over-the-air > 802.11 AssocResponse frame and is never validated, a malicious AP can set > it up to 255, causing up to 229 bytes of out-of-bounds writes into > adjacent fields of struct mlme_ext_info. > > The parallel function HT_info_handler() already carries the correct guard= : > > if (pIE->length > sizeof(struct HT_info_element)) > return; > > Apply the same pattern to HT_caps_handler(). > > Signed-off-by: Alexandru Hossu > --- > drivers/staging/rtl8723bs/core/rtw_wlan_util.c | 3 +++ > 1 file changed, 3 insertions(+) > > diff --git a/drivers/staging/rtl8723bs/core/rtw_wlan_util.c b/drivers/sta= ging/rtl8723bs/core/rtw_wlan_util.c > index 6a7c09db4..b75e7f4f8 100644 > --- a/drivers/staging/rtl8723bs/core/rtw_wlan_util.c > +++ b/drivers/staging/rtl8723bs/core/rtw_wlan_util.c > @@ -934,6 +934,9 @@ void HT_caps_handler(struct adapter *padapter, struct= ndis_80211_var_ie *pIE) > if (phtpriv->ht_option =3D=3D false) > return; > =20 > + if (pIE->length > sizeof(struct HT_caps_element)) > + return; > + > pmlmeinfo->HT_caps_enable =3D 1; > =20 > for (i =3D 0; i < (pIE->length); i++) { Hi Alexandru, this fix has been made already by Greg HK therefore this patch is=20 unnecessary. You can see his patch at [1]. Best regards, Luka Gejak [1]: https://lore.kernel.org/linux-staging/2026041408-grill-mahogany-d1e3@g= regkh/