From mboxrd@z Thu Jan 1 00:00:00 1970 Received: from out-188.mta1.migadu.com (out-188.mta1.migadu.com [95.215.58.188]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id 9EF4A39E16A for ; Tue, 24 Feb 2026 13:27:29 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=95.215.58.188 ARC-Seal:i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1771939651; cv=none; b=GJsHgrvVVANAE2aBtMJOr+DCURBd6uBXVMRyH0Hn6kjgU/y+uI7bbxMEn0n4jm+lprv1VAfpZGJb6SY3uZAnlyETIZwzDSskr8pVtidVk1LWwjqSGblTpU9UpB1TJHUgjH4hvACTbsDouAN4aeBLX1iA413vgZjhs/29h7PgxQE= ARC-Message-Signature:i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1771939651; c=relaxed/simple; bh=3CRa2xqFPuCqir1qs/FRWzim9splHWlfsP95dW2c6jk=; h=From:To:Cc:Subject:Date:Message-ID:In-Reply-To:References: MIME-Version; b=HZ6kJ2T5Tb0LOjJWmUQDt8x6NwVLL2lc7nFZOkYCQTbmZxMhs7C8jtgj/uj9kzsAqgyVHtr8LZiVAcnqZ2//EK1no+tsQcEvfcz/gAHbljOvAuFh3buBsHjyqykzIy62aAx+8E8j00yiDOhDnAAp8ijUFW8BuIhXd4uwUAFrCK8= ARC-Authentication-Results:i=1; smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=linux.dev; spf=pass smtp.mailfrom=linux.dev; dkim=pass (1024-bit key) header.d=linux.dev header.i=@linux.dev header.b=mB8O8O4B; arc=none smtp.client-ip=95.215.58.188 Authentication-Results: smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=linux.dev Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=linux.dev Authentication-Results: smtp.subspace.kernel.org; dkim=pass (1024-bit key) header.d=linux.dev header.i=@linux.dev header.b="mB8O8O4B" X-Report-Abuse: Please report any abuse attempt to abuse@migadu.com and include these headers. DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=linux.dev; s=key1; t=1771939648; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:cc:mime-version:mime-version: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references; bh=PT92cYBr253vss6P3ozpdqaZBeLr/if4yR/Go/cY8jA=; b=mB8O8O4BTjOfivi9DdiTiWB+gA8xtWI8KImf6/HK9cSB3lWMH1Lonm+xi/rjtmSkxINF1b wrkisgntETYmG5oLb29vG8exzTnhe+RTi75M68DEsWIASfrIzf2auhqfNepk5U3svIFPCt ktUNdp6AQ/YX/wi41JSaOFT0mFxfl9c= From: luka.gejak@linux.dev To: Greg Kroah-Hartman Cc: Dan Carpenter , linux-staging@lists.linux.dev, linux-kernel@vger.kernel.org, Luka Gejak , stable@vger.kernel.org Subject: [PATCH 1/1] staging: rtl8723bs: fix potential out-of-bounds read in rtw_restruct_wmm_ie Date: Tue, 24 Feb 2026 14:26:47 +0100 Message-ID: <20260224132647.11642-2-luka.gejak@linux.dev> In-Reply-To: <20260224132647.11642-1-luka.gejak@linux.dev> References: <20260224132647.11642-1-luka.gejak@linux.dev> Precedence: bulk X-Mailing-List: stable@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 Content-Transfer-Encoding: 8bit X-Migadu-Flow: FLOW_OUT From: Luka Gejak The current code checks 'i + 5 < in_len' at the end of the if statement. However, it accesses 'in_ie[i + 5]' before that check, which can lead to an out-of-bounds read. Move the length check to the beginning of the conditional to ensure the index is within bounds before accessing the array. Fixes: 554c0a3abf21 ("staging: Add rtl8723bs sdio wifi driver") Cc: stable@vger.kernel.org Signed-off-by: Luka Gejak --- drivers/staging/rtl8723bs/core/rtw_mlme.c | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) diff --git a/drivers/staging/rtl8723bs/core/rtw_mlme.c b/drivers/staging/rtl8723bs/core/rtw_mlme.c index 22dc36e8e38a..2bd6f5367bdc 100644 --- a/drivers/staging/rtl8723bs/core/rtw_mlme.c +++ b/drivers/staging/rtl8723bs/core/rtw_mlme.c @@ -1988,7 +1988,10 @@ int rtw_restruct_wmm_ie(struct adapter *adapter, u8 *in_ie, u8 *out_ie, uint in_ while (i < in_len) { ielength = initial_out_len; - if (in_ie[i] == 0xDD && in_ie[i + 2] == 0x00 && in_ie[i + 3] == 0x50 && in_ie[i + 4] == 0xF2 && in_ie[i + 5] == 0x02 && i + 5 < in_len) { /* WMM element ID and OUI */ + if (i + 5 < in_len && + in_ie[i] == 0xDD && in_ie[i + 2] == 0x00 && + in_ie[i + 3] == 0x50 && in_ie[i + 4] == 0xF2 && + in_ie[i + 5] == 0x02) { for (j = i; j < i + 9; j++) { out_ie[ielength] = in_ie[j]; ielength++; -- 2.53.0