From mboxrd@z Thu Jan 1 00:00:00 1970 Received: from mail-wm1-f47.google.com (mail-wm1-f47.google.com [209.85.128.47]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id ABA5B2E424F for ; Thu, 16 Apr 2026 16:44:31 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=209.85.128.47 ARC-Seal:i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1776357873; cv=none; b=ISvLem8NlSywFKKTg7sMBdb+ZPoU+TIGqDt6hw/FlYIugvMJz+emHuBBzu/1tLReh/xY0RYPsJxKB+fODRCCNu1LjoVON0zqMo5VzTmiD10/aD6aluNf/AfrCLUi/tTa92LjOLBiws2Vr5e+EbLRd9kLAsnDFLf4iF5s+fSDH9I= ARC-Message-Signature:i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1776357873; c=relaxed/simple; bh=YUU3+xjeLdsqtZTdFxdFBIaeAlTtFbDXLvp82LEvJPA=; h=Date:From:To:Cc:Subject:Message-ID:References:MIME-Version: Content-Type:Content-Disposition:In-Reply-To; b=d/1yXYWZ7KsRZPHn2PnOvx40EPN6Xl3NALonbdD71Q3WzHAEwiMq2i5foatz3KWaqCeeW5ufmQME7heHRWgm9PKa9/o7dQJDAes0h9QZ5QBz7FVy2+g6bFCBRBmYXjQ0fBkvEl9qLPPcmjmK2/MRmkVrqp41PIdO852DD1zRyAo= ARC-Authentication-Results:i=1; smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=gmail.com; spf=pass smtp.mailfrom=gmail.com; dkim=pass (2048-bit key) header.d=gmail.com header.i=@gmail.com header.b=dgSrISub; arc=none smtp.client-ip=209.85.128.47 Authentication-Results: smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=gmail.com Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=gmail.com Authentication-Results: smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=gmail.com header.i=@gmail.com header.b="dgSrISub" Received: by mail-wm1-f47.google.com with SMTP id 5b1f17b1804b1-488a88aeec9so109414745e9.2 for ; Thu, 16 Apr 2026 09:44:31 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20251104; t=1776357870; x=1776962670; darn=vger.kernel.org; h=in-reply-to:content-disposition:mime-version:references:message-id :subject:cc:to:from:date:from:to:cc:subject:date:message-id:reply-to; bh=g9D1OzvPa4FIenlg0nAZ/POcm7VOaJA4WMHxYv2Zv/c=; b=dgSrISubAy5GM2nXHfeBR/ZEBYvjaOpaZtbVCIlM6QpoEnG39/6eOy/FJF1HsKQHJT aIq40L5ZwlqExQsRfyNjiQwZsLnXmwUVm1ut9HVLzALuFCxr9WVt42+D8wW+ArmUrzzM 6wBcDb/6m3CZPm5UNlHqrFQqoHpA3jGcdwZxR+pM3YJFHycYj26FZWxUjhn3/p9j0A6p evLX63cDK7DfO9L0lxvq1K1T5LMnfm5Hy/yqxOsEzFKNY8AKM7nL9BV+QXcTCsMMLptr PEnX+nAT1qLLYQl2pMC+CM36mKaPJ3B/1ne3VOP+AA2sQpZfhNstVe0ayW95PnQpT/5U /NwQ== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20251104; t=1776357870; x=1776962670; h=in-reply-to:content-disposition:mime-version:references:message-id :subject:cc:to:from:date:x-gm-gg:x-gm-message-state:from:to:cc :subject:date:message-id:reply-to; bh=g9D1OzvPa4FIenlg0nAZ/POcm7VOaJA4WMHxYv2Zv/c=; b=qJCevSNTqvBxV2Y7OS2egGpj+lB4Vu44gAX8JApUbtgrH8QPzVsqLL2sOIDt27uTNR weSzhU8yYfb2wDkSqgrNjyE1KUFWeuJcUjmgg8yoikA0dCgak9jv0iCbqRBJLEAWN8HL vlm2AJ2wergjGEQ6jWiXxrkvbIPKN8vQAkQo/KzevVy4mMblRtg3rUUkP+WdTp7M4bh+ /HmMxCynLAUJmOanvGdkphzqlJsfHYBHvGbEdJ6DDqXDJxPJX5exXLNfws+/bNnHclxS QDRhUFCCY1KbsP3gQkEIMrIjrYjtukfp0x2sxz8UFQCUASwQZfVaOHKtwVQo7gIoVsdC ACAg== X-Forwarded-Encrypted: i=1; AFNElJ/kz9+/g09bqMIg+x3RjZ3vBvW3moRAz9W7KwUPSlQ6ed2CUl3dBIGLLPL2IE2cBxCx/J3XYBIOr+2vW7w=@vger.kernel.org X-Gm-Message-State: AOJu0Yx4pg+0l2ISjAXVpxmV62vtvZ6skcpi74xohlud/tCvnGSszJ2h wMhz2tb9xO9Sg3mBt38rdsMY4klSGiFv7kRMwqzNeJgw91H+TKCZ0fmU X-Gm-Gg: AeBDievbjOG1YNTNMIuB0b3f8GmytitDeX98DHwJ317nG8PBl6ClP506GmqsTUtYyXy 4xk2dubGFgx+RJng5Q9FcuyQIaFrk1Yd77hkwUzsnfsdCOz1jHNqK1dVeFbpxdcONoLWt3fdC78 CegimtbpLoFR7j1FRdpAVkK4Ttd/oq/PHv5XLDG7LbNsQfb7uvjPH5ljXfbJFv+ywvrJdBUZ+u+ p+n+nnHhYydQPddQB461cwl8K3VoAFJrfW3PKCy3nBJL4trgShEGn0vCsOtb4sqiAYiuK1QWcoL sk2p066AYWQQXJjYXlaMNdpqcgBPOwAHVMYlJmC3cRgI3GLcCKibvHpPhs3U/WVaoKtamyHsDKW 6yeB/bUJ+pSno+htUggr6z2sU2Nw+27SjpVqoxZHpzTux6Xo1RL6W6N93y9LznbiWb0EBFGx2l7 x7Y/SkuO1IrCvOHmnKX9I= X-Received: by 2002:a05:600c:681:b0:488:e192:6fbd with SMTP id 5b1f17b1804b1-488e192710cmr170540595e9.30.1776357870042; Thu, 16 Apr 2026 09:44:30 -0700 (PDT) Received: from localhost ([196.207.164.177]) by smtp.gmail.com with ESMTPSA id 5b1f17b1804b1-488f585cefdsm68242275e9.14.2026.04.16.09.44.28 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Thu, 16 Apr 2026 09:44:29 -0700 (PDT) Date: Thu, 16 Apr 2026 19:44:26 +0300 From: Dan Carpenter To: Delene Tchio Romuald Cc: gregkh@linuxfoundation.org, dan.carpenter@linaro.org, luka.gejak@linux.dev, hansg@kernel.org, linux-staging@lists.linux.dev, linux-kernel@vger.kernel.org, stable@vger.kernel.org Subject: Re: [PATCH v4 4/5] staging: rtl8723bs: fix out-of-bounds reads in IE parsing functions Message-ID: References: <20260415185501.440492-1-delenetchior1@gmail.com> <20260415185501.440492-5-delenetchior1@gmail.com> Precedence: bulk X-Mailing-List: linux-kernel@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <20260415185501.440492-5-delenetchior1@gmail.com> On Wed, Apr 15, 2026 at 07:55:00PM +0100, Delene Tchio Romuald wrote: > rtw_get_wapi_ie(), rtw_get_sec_ie() and rtw_get_wps_ie() walk a > buffer of Information Elements using the TLV length field without > first verifying that the length byte itself is inside the buffer, > and without verifying that the element's declared length fits > inside the remaining buffer. Both conditions can be reached with > crafted input, causing reads past the end of the buffer. > > An attacker within WiFi radio range can exploit this by sending > crafted beacon or probe-response frames carrying truncated or > oversized IEs. No authentication is required. > > Ensure the length byte is inside the buffer (cnt + 1 < in_len) > and break out of the loop if the declared element length would > read past in_len. > > Found by reviewing bounds checks in IE walkers. > Not tested on hardware. > > Fixes: 554c0a3abf216 ("staging: Add rtl8723bs sdio wifi driver") > Cc: stable@vger.kernel.org > Reviewed-by: Luka Gejak > Signed-off-by: Delene Tchio Romuald > --- > v4: add Fixes: tag and Cc: stable (Dan Carpenter); carry Luka Gejak's > Reviewed-by. > v3: rebased on staging-next; sent as numbered series with proper > Cc from get_maintainer.pl. > v2: rebased on staging-next (v1 was based on v7.0-rc6 and did not > apply). > > drivers/staging/rtl8723bs/core/rtw_ieee80211.c | 15 ++++++++++++--- > 1 file changed, 12 insertions(+), 3 deletions(-) > > diff --git a/drivers/staging/rtl8723bs/core/rtw_ieee80211.c b/drivers/staging/rtl8723bs/core/rtw_ieee80211.c > index 72b7f731dd471..e0fed3f42de0c 100644 > --- a/drivers/staging/rtl8723bs/core/rtw_ieee80211.c > +++ b/drivers/staging/rtl8723bs/core/rtw_ieee80211.c > @@ -582,9 +582,12 @@ int rtw_get_wapi_ie(u8 *in_ie, uint in_len, u8 *wapi_ie, u16 *wapi_len) > > cnt = (_TIMESTAMP_ + _BEACON_ITERVAL_ + _CAPABILITY_); > > - while (cnt < in_len) { > + while (cnt + 1 < in_len) { > authmode = in_ie[cnt]; > > + if (cnt + 2 + in_ie[cnt + 1] > in_len) > + break; It's a pity this function doesn't return negative error codes. > + > if (authmode == WLAN_EID_BSS_AC_ACCESS_DELAY && > (!memcmp(&in_ie[cnt + 6], wapi_oui1, 4) || > !memcmp(&in_ie[cnt + 6], wapi_oui2, 4))) { ^^^^^^^^^^^^^^ here we are assuming the in_len is at least "cnt + 6 + 4" so we need something like: if (cnt + 2 + in_ie[cnt + 1] > in_len) break; if (authmode == WLAN_EID_BSS_AC_ACCESS_DELAY) { if (cnt + 10 > in_len) break; if (!memcmp(&in_ie[cnt + 6], wapi_oui1, 4) || ... > @@ -615,9 +618,12 @@ void rtw_get_sec_ie(u8 *in_ie, uint in_len, u8 *rsn_ie, u16 *rsn_len, u8 *wpa_ie > > cnt = (_TIMESTAMP_ + _BEACON_ITERVAL_ + _CAPABILITY_); > > - while (cnt < in_len) { > + while (cnt + 1 < in_len) { > authmode = in_ie[cnt]; > > + if (cnt + 2 + in_ie[cnt + 1] > in_len) > + break; > + > if ((authmode == WLAN_EID_VENDOR_SPECIFIC) && > (!memcmp(&in_ie[cnt + 2], &wpa_oui[0], 4))) { Same in the other places as well. regards, dan carpenter