[PATCH v6 1/8] staging: rtl8723bs: fix buffer over-read in rtw_update_protection

[PATCH v6 1/8] staging: rtl8723bs: fix buffer over-read in rtw_update_protection

[Salman Alghamdi]

rtw_update_protection() is called with a pointer offset into the
ies buffer but the full ie_length is passed, causing a potential
buffer over-read.

Fixes: e945c43df60b ("Staging: rtl8723bs: Delete dead code from update_current_network()")
Fixes: d3fcee1b78a5 ("staging: rtl8723bs: fix camel case in struct wlan_bssid_ex")
Reported-by: Luka Gejak <luka.gejak@linux.dev>
Closes: https://lore.kernel.org/linux-staging/DI2H39EAAFBZ.3KI5NWN02AQ2S@linux.dev
Cc: stable@vger.kernel.org
Signed-off-by: Salman Alghamdi <me@cipherat.com>
---
 drivers/staging/rtl8723bs/core/rtw_mlme.c | 10 ++++++++--
 1 file changed, 8 insertions(+), 2 deletions(-)

diff --git a/drivers/staging/rtl8723bs/core/rtw_mlme.c b/drivers/staging/rtl8723bs/core/rtw_mlme.c
index ddfc56f0253d..268f294528e6 100644
--- a/drivers/staging/rtl8723bs/core/rtw_mlme.c
+++ b/drivers/staging/rtl8723bs/core/rtw_mlme.c
@@ -464,8 +464,11 @@ static void update_current_network(struct adapter *adapter, struct wlan_bssid_ex
 
 	if (check_fwstate(pmlmepriv, _FW_LINKED) && (is_same_network(&pmlmepriv->cur_network.network, pnetwork, 0))) {
 		update_network(&pmlmepriv->cur_network.network, pnetwork, adapter, true);
+		if (pmlmepriv->cur_network.network.ie_length < sizeof(struct ndis_802_11_fix_ie))
+			return;
+
 		rtw_update_protection(adapter, (pmlmepriv->cur_network.network.ies) + sizeof(struct ndis_802_11_fix_ie),
-								pmlmepriv->cur_network.network.ie_length);
+								pmlmepriv->cur_network.network.ie_length - sizeof(struct ndis_802_11_fix_ie));
 	}
 }
 
@@ -1072,8 +1075,11 @@ static void rtw_joinbss_update_network(struct adapter *padapter, struct wlan_net
 			break;
 	}
 
+	if (cur_network->network.ie_length < sizeof(struct ndis_802_11_fix_ie))
+		return;
+
 	rtw_update_protection(padapter, (cur_network->network.ies) + sizeof(struct ndis_802_11_fix_ie),
-									(cur_network->network.ie_length));
+									(cur_network->network.ie_length - sizeof(struct ndis_802_11_fix_ie)));
 
 	rtw_update_ht_cap(padapter, cur_network->network.ies, cur_network->network.ie_length, (u8) cur_network->network.configuration.ds_config);
 }
-- 
2.54.0

Re: [PATCH v6 1/8] staging: rtl8723bs: fix buffer over-read in rtw_update_protection

[Greg KH]

On Tue, Apr 28, 2026 at 07:44:31PM +0300, Salman Alghamdi wrote:
> rtw_update_protection() is called with a pointer offset into the
> ies buffer but the full ie_length is passed, causing a potential
> buffer over-read.
> 
> Fixes: e945c43df60b ("Staging: rtl8723bs: Delete dead code from update_current_network()")
> Fixes: d3fcee1b78a5 ("staging: rtl8723bs: fix camel case in struct wlan_bssid_ex")
> Reported-by: Luka Gejak <luka.gejak@linux.dev>
> Closes: https://lore.kernel.org/linux-staging/DI2H39EAAFBZ.3KI5NWN02AQ2S@linux.dev
> Cc: stable@vger.kernel.org
> Signed-off-by: Salman Alghamdi <me@cipherat.com>
> ---
>  drivers/staging/rtl8723bs/core/rtw_mlme.c | 10 ++++++++--
>  1 file changed, 8 insertions(+), 2 deletions(-)

You should not mix patches for the current release (i.e. this one), with
patches for the next release (i.e. the rest of the patches in this
series), as that means I can't take the full series for either :(

Please break this up into two different sets of patches and resend them
that way.

thanks,

greg k-h

Re: [PATCH v6 1/8] staging: rtl8723bs: fix buffer over-read in rtw_update_protection

[Salman Alghamdi]

On May 04, 2026 12:35 +03, Greg KH <gregkh@linuxfoundation.org> wrote:
> >  drivers/staging/rtl8723bs/core/rtw_mlme.c | 10 ++++++++--
> >  1 file changed, 8 insertions(+), 2 deletions(-)
> 
> You should not mix patches for the current release (i.e. this one), with
> patches for the next release (i.e. the rest of the patches in this
> series), as that means I can't take the full series for either :(
> 
> Please break this up into two different sets of patches and resend them
> that way.

Hi Greg,
Thank you for the review.

Two questions before I resend:
1. How do I tell which release a patch targets? Is it purely based on whether it's a bug fix (current release) vs. a new change (next release), or is there a more specific rule I should follow?
2. For versioning the split series, should the bug fix patch restart at v1, and the rest of the series continue at v7? Or should I keep them sequential (bug fix as v7, next-release patches as v8)?

Thanks,
Salman Alghamdi

Re: [PATCH v6 1/8] staging: rtl8723bs: fix buffer over-read in rtw_update_protection

[Greg KH]

On Fri, May 08, 2026 at 12:56:09AM +0300, Salman Alghamdi wrote:
> On May 04, 2026 12:35 +03, Greg KH <gregkh@linuxfoundation.org> wrote:
> > >  drivers/staging/rtl8723bs/core/rtw_mlme.c | 10 ++++++++--
> > >  1 file changed, 8 insertions(+), 2 deletions(-)
> > 
> > You should not mix patches for the current release (i.e. this one), with
> > patches for the next release (i.e. the rest of the patches in this
> > series), as that means I can't take the full series for either :(
> > 
> > Please break this up into two different sets of patches and resend them
> > that way.
> 
> Hi Greg,
> Thank you for the review.
> 
> Two questions before I resend:
> 1. How do I tell which release a patch targets? Is it purely based on whether it's a bug fix (current release) vs. a new change (next release), or is there a more specific rule I should follow?

That is exactly what it is based on.

> 2. For versioning the split series, should the bug fix patch restart at v1, and the rest of the series continue at v7? Or should I keep them sequential (bug fix as v7, next-release patches as v8)?

two separate series, so yes, split it that way should be fine.

thanks,

greg k-h