From mboxrd@z Thu Jan 1 00:00:00 1970 Received: from out-172.mta1.migadu.com (out-172.mta1.migadu.com [95.215.58.172]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id 4E72827AC28 for ; Sun, 8 Feb 2026 10:59:37 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=95.215.58.172 ARC-Seal:i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1770548378; cv=none; b=fBZaZecrvfiRsKY75UXECH63L8e9MP5d9nmYQEVm7/wMRwyONq/yw2ZQl/UyApYUAhp9bJsfAJXtBbbBG1jddtqf8wSUgfzttcSikJI+gCL6V8cVX375j5XMbXq4UhE6yY2DL1VBjmNWfvnHqyDyJzEN3MNx7gVyyDi0nCkLVho= ARC-Message-Signature:i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1770548378; c=relaxed/simple; bh=jubLtVEu6Ee5Tq3pWfE33SMZkOBCRpemyjW4LnoYhUg=; h=From:To:Cc:Subject:Date:Message-ID:In-Reply-To:References: MIME-Version; b=cQggplpwCWZwmIT/SDDRhM4NbI/oxoOZ9jz2HzqWnn0Sp/JSpjzGWrTshIBcVyShME2nYP2McHrr2Q2MSFrIyhu9ysUZHfMpcT2xsjK5oZADdMjIQSaIZuQfrOK2gOKeUnQRIAwj3IIuurpgBR4+4r7L1QE21+bONoS3YnEGFqE= ARC-Authentication-Results:i=1; smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=linux.dev; spf=pass smtp.mailfrom=linux.dev; dkim=pass (1024-bit key) header.d=linux.dev header.i=@linux.dev header.b=rxiuLfBh; arc=none smtp.client-ip=95.215.58.172 Authentication-Results: smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=linux.dev Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=linux.dev Authentication-Results: smtp.subspace.kernel.org; dkim=pass (1024-bit key) header.d=linux.dev header.i=@linux.dev header.b="rxiuLfBh" X-Report-Abuse: Please report any abuse attempt to abuse@migadu.com and include these headers. DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=linux.dev; s=key1; t=1770548375; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:cc:mime-version:mime-version: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references; bh=LGyONV70NmVe5kpayBnmvTC97UZ6lGVsIJWAjpQVfUU=; b=rxiuLfBh2Uqp1AimiHkgC0Y+6f+oR2M8576k88UE/NaEeqsx4hNc6CNSJx0O3cCSeCeR1z 73neQQPWp39/s8y0dmHl45ismMpPBTvJAkmhPjk4eNetmdwjEnmhbebLQ4ZIufGkq7x4O7 Vz2roAMSquJnuCPZlJ1O9t4i2E+jpUM= From: luka.gejak@linux.dev To: lukagejak5@gmail.com Cc: Luka Gejak , stable@vger.kernel.org Subject: [PATCH v3 01/22] staging: rtl8723bs: fix potential out-of-bounds read in rtw_restruct_wmm_ie Date: Sun, 8 Feb 2026 11:58:32 +0100 Message-ID: <20260208105853.46192-2-luka.gejak@linux.dev> In-Reply-To: <20260208105853.46192-1-luka.gejak@linux.dev> References: <20260208105853.46192-1-luka.gejak@linux.dev> Precedence: bulk X-Mailing-List: stable@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 Content-Transfer-Encoding: 8bit X-Migadu-Flow: FLOW_OUT From: Luka Gejak The current code checks 'i + 5 < in_len' at the end of the if statement. However, it accesses 'in_ie[i + 5]' before that check, which can lead to an out-of-bounds read. Move the length check to the beginning of the conditional to ensure the index is within bounds before accessing the array. Fixes: 554c0a3abf21 ("staging: Add rtl8723bs sdio wifi driver") Cc: stable@vger.kernel.org Signed-off-by: Luka Gejak --- drivers/staging/rtl8723bs/core/rtw_mlme.c | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) diff --git a/drivers/staging/rtl8723bs/core/rtw_mlme.c b/drivers/staging/rtl8723bs/core/rtw_mlme.c index 22dc36e8e38a..2bd6f5367bdc 100644 --- a/drivers/staging/rtl8723bs/core/rtw_mlme.c +++ b/drivers/staging/rtl8723bs/core/rtw_mlme.c @@ -1988,7 +1988,10 @@ int rtw_restruct_wmm_ie(struct adapter *adapter, u8 *in_ie, u8 *out_ie, uint in_ while (i < in_len) { ielength = initial_out_len; - if (in_ie[i] == 0xDD && in_ie[i + 2] == 0x00 && in_ie[i + 3] == 0x50 && in_ie[i + 4] == 0xF2 && in_ie[i + 5] == 0x02 && i + 5 < in_len) { /* WMM element ID and OUI */ + if (i + 5 < in_len && + in_ie[i] == 0xDD && in_ie[i + 2] == 0x00 && + in_ie[i + 3] == 0x50 && in_ie[i + 4] == 0xF2 && + in_ie[i + 5] == 0x02) { for (j = i; j < i + 9; j++) { out_ie[ielength] = in_ie[j]; ielength++; -- 2.52.0