From mboxrd@z Thu Jan  1 00:00:00 1970
Received: from mail-wr1-f50.google.com (mail-wr1-f50.google.com [209.85.221.50])
	(using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits))
	(No client certificate requested)
	by smtp.subspace.kernel.org (Postfix) with ESMTPS id 86DF53B19D4
	for <linux-kernel@vger.kernel.org>; Mon, 27 Apr 2026 09:17:37 +0000 (UTC)
Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=209.85.221.50
ARC-Seal:i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116;
	t=1777281459; cv=none; b=RkqDyjsGlGgVXdu9Zh/zbNQ6KOkXGyWxd2wFJWOFaWEqU68hHKuUlQvgBotZj45gQyF8H7/4/1u9lfkvKWuyqzw8A7ZOAyDuAW3duSxqa9FqvS5z0xVvTtBIKBxzN8RFKKW8TAkUrnRPeLZR6rLY4Ttq7RrPpfHfTRl8INaoLOM=
ARC-Message-Signature:i=1; a=rsa-sha256; d=subspace.kernel.org;
	s=arc-20240116; t=1777281459; c=relaxed/simple;
	bh=AK5Nr9EoN5hOrQTMs6gBN4bUgtVt4eaQKkUfxTX/NVo=;
	h=Date:From:To:Cc:Subject:Message-ID:References:MIME-Version:
	 Content-Type:Content-Disposition:In-Reply-To; b=AWqtNhO43rwyd2Jm1WujotxIwSTUSx5NOw8VCkjZHr6GFwzUZEd/vBCVSWNDJf0HxMV70PRPpeQxH0/q+2Dq34ihL0H8DTn5rc8ygRg1A50Tb9grrtqXmjvTEaYibvKB3Dejd1/EOzSlx+wf+GT86Y3Mmngf+zpeFWJSPMaDNP0=
ARC-Authentication-Results:i=1; smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=gmail.com; spf=pass smtp.mailfrom=gmail.com; dkim=pass (2048-bit key) header.d=gmail.com header.i=@gmail.com header.b=aIwzIoYp; arc=none smtp.client-ip=209.85.221.50
Authentication-Results: smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=gmail.com
Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=gmail.com
Authentication-Results: smtp.subspace.kernel.org;
	dkim=pass (2048-bit key) header.d=gmail.com header.i=@gmail.com header.b="aIwzIoYp"
Received: by mail-wr1-f50.google.com with SMTP id ffacd0b85a97d-44509921fbcso366088f8f.3
        for <linux-kernel@vger.kernel.org>; Mon, 27 Apr 2026 02:17:37 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=gmail.com; s=20251104; t=1777281456; x=1777886256; darn=vger.kernel.org;
        h=in-reply-to:content-disposition:mime-version:references:message-id
         :subject:cc:to:from:date:from:to:cc:subject:date:message-id:reply-to;
        bh=T3BZLzJKc7teyfIfzvCeVwe77Ber/OGeCZ9vw2twToE=;
        b=aIwzIoYpvp48/zEbfcgtoZOHvoTrP6qcbjIgTfBtitimVjkfIxK3CItaDKYAOe6K/u
         n462KxOsLPnPX381tWZw9GYkQe9jO8lcbk9x4QsrfhM8G/IQhbCWgdbx6mwUGdO99jy4
         trlwMmNYElWb1usdrWU78kl7RRihcuYicZw3RQxmSKI+8yc4UCp2X9KvrwLORfY9Qd+R
         AT1/zigb8vqObhgui/Sq/f4XznNxXaVFQ/Kdn4FVPvwE/XGTVH3gKYrwsnLPP9QylBAt
         6hIYZP3J4sRq6dlrzqHwhJG3ib1r3Tp4Y+fzU73AF82Bc9BG1lC0VbxXTgfnyoEoM8d5
         8I4g==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=1e100.net; s=20251104; t=1777281456; x=1777886256;
        h=in-reply-to:content-disposition:mime-version:references:message-id
         :subject:cc:to:from:date:x-gm-gg:x-gm-message-state:from:to:cc
         :subject:date:message-id:reply-to;
        bh=T3BZLzJKc7teyfIfzvCeVwe77Ber/OGeCZ9vw2twToE=;
        b=sKdSIORDWvkucF7aTJlQEwxQ+pIue3CTqSFxlv22Vo+BPkdF5hCdkEDf5whyNViACu
         XJzDUiDcgXhVdfjjrrcwV9G9tGLMZnTu0Fspx4KCcP5OZlZjErzHBDeIIuiLAGOPZRAA
         vtMf5dIw9Jl8dGf/TS2nuFumck9fCjqKIB73fty8GHWBTLnWr0OMdExYTUM1r830JHfl
         on8RQ/eBrkgiBn2l+T8I8e8WluqO0bo6dR76yePZeOStKHY/3b64c9fh4c+UTUQW4gcA
         NMjZb5LGLKnwx/S/dvROS/cAXpdIK6zLtR7TLmINwnHVwkwNc93nfcOTHzwdAcZLbHYs
         BE3w==
X-Forwarded-Encrypted: i=1; AFNElJ+KA4l3PTvjK7m/jQ6XDW+fnjr5aXk/bxhxb1rHMUo3fwUhurAuxmVZJt5vn2FWiiEnq5zxIJslspawCfQ=@vger.kernel.org
X-Gm-Message-State: AOJu0YzuS6r9pjoenFEdvhkUOZ5AqVvSWixkkWOQNw9QqW3JnvlGIMW3
	zPlJlZVW8ePxfWftWv5zoMdfoZWcdxlZ9Pqg4xtrUpKcT50cf9DJrQDk7dD9/w==
X-Gm-Gg: AeBDievMOCU2x8HTynIx7mYFSzzlod6EoKV6NJU9CaEo/KX7abHyGKm3e/XjnguKm+m
	dVHa+EmLrIgruRrdzxEGtNbh/MXnmLHKCXsp/iqbaw+lPaEYCcNHi2EOypqdYMkZhriLrxVit8Y
	gWeQzCXf3GC5WDjrSe5igQip9C2sDTUO8swPhsoaxj9luJDDZgLcrk0cOQU32rp/vbSBzPqhQzY
	P45dqbsW4bv8PAPPwBgUeu+pFsD8zNMtI7dNlFTdsDwQB49WW1qWyVFdG6NXE9udTJCna82i19L
	se5q9QRHLXVC0Is7NS4M8/p64LCdRZhtBRCJnOPbAJrY5ko5sN6SBvnkkiDlaqX+GSk7du+9t27
	pugyveYZV8eWW+ILbigmSvu3PqQDvw+qYMxmu0YMlCCox9yT3F4dFtv0hbyALVOZJYGKZL9/wKy
	Lm+8s97ejasoHEUF/T2VncH1Lxk8bjrg==
X-Received: by 2002:a05:6000:2303:b0:43d:73d4:b34 with SMTP id ffacd0b85a97d-43fe3dcb1e9mr64195158f8f.16.1777281455511;
        Mon, 27 Apr 2026 02:17:35 -0700 (PDT)
Received: from localhost ([196.207.164.177])
        by smtp.gmail.com with ESMTPSA id ffacd0b85a97d-43fe4e591cesm107033148f8f.36.2026.04.27.02.17.34
        (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256);
        Mon, 27 Apr 2026 02:17:34 -0700 (PDT)
Date: Mon, 27 Apr 2026 12:17:31 +0300
From: Dan Carpenter <error27@gmail.com>
To: Alexandru Hossu <hossu.alexandru@gmail.com>
Cc: gregkh@linuxfoundation.org, linux-staging@lists.linux.dev,
	linux-kernel@vger.kernel.org, luka.gejak@linux.dev,
	stable@vger.kernel.org
Subject: Re: [PATCH v2 1/2] staging: rtl8723bs: fix OOB write in
 HT_caps_handler()
Message-ID: <ae8pq5YzEe2wTJmx@stanley.mountain>
References: <20260427081748.3407939-1-hossu.alexandru@gmail.com>
 <20260427081748.3407939-2-hossu.alexandru@gmail.com>
Precedence: bulk
X-Mailing-List: linux-kernel@vger.kernel.org
List-Id: <linux-kernel.vger.kernel.org>
List-Subscribe: <mailto:linux-kernel+subscribe@vger.kernel.org>
List-Unsubscribe: <mailto:linux-kernel+unsubscribe@vger.kernel.org>
MIME-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
In-Reply-To: <20260427081748.3407939-2-hossu.alexandru@gmail.com>

On Mon, Apr 27, 2026 at 10:17:47AM +0200, Alexandru Hossu wrote:
> HT_caps_handler() iterates pIE->length bytes and writes into
> HT_caps.u.HT_cap[], which is a fixed 26-byte array (sizeof struct
> HT_caps_element). Because pIE->length is a raw u8 from an over-the-air
> 802.11 AssocResponse frame and is never validated, a malicious AP can set
> it up to 255, causing up to 229 bytes of out-of-bounds writes into
> adjacent fields of struct mlme_ext_info.
> 
> Truncate the iteration count to the size of HT_caps.u.HT_cap using
> min_t() so that data from a longer-than-expected IE is silently ignored
> rather than written out of bounds, preserving interoperability with APs
> that pad the element.
> 
> Fixes: 554c0a3abf21 ("staging: Add rtl8723bs sdio wifi driver")
> Cc: stable@vger.kernel.org
> Signed-off-by: Alexandru Hossu <hossu.alexandru@gmail.com>
> ---

We need a little change log here.  I was hoping you would provide
a link to the AI review in the changelog.

I feel like the AI review is probabl wrong.  In this case the
original code corrupted memory so the code didn't "work" before, it
corrupted memory.  But I'm interested to see the AI review.

regards,
dan carpenter