Re: [PATCH v2 1/2] staging: rtl8723bs: fix OOB write in HT_caps_handler()

[Luka Gejak <luka.gejak@linux.dev>]

On April 27, 2026 3:11:28 PM GMT+02:00, Greg KH <gregkh@linuxfoundation.org> wrote:
>On Mon, Apr 27, 2026 at 03:58:23PM +0300, Dan Carpenter wrote:
>> On Mon, Apr 27, 2026 at 05:11:19AM -0600, Greg KH wrote:
>> > On Mon, Apr 27, 2026 at 12:48:38PM +0300, Dan Carpenter wrote:
>> > > On Mon, Apr 27, 2026 at 02:28:39AM -0700, Alexandru Hossu wrote:
>> > > > On Mon, Apr 27, 2026 at 11:17 AM, Dan Carpenter wrote:
>> > > > > We need a little change log here.  I was hoping you would provide
>> > > > > a link to the AI review in the changelog.
>> > > > 
>> > > > Hi Dan,
>> > > > 
>> > > > Sorry about the missing changelog, will add it in v3.
>> > > > 
>> > > > For the AI review link, I don't have a direct link to the bot output.
>> > > > What I know is from Greg's reply in the v1 thread on lore.kernel.org,
>> > > 
>> > > What about a link to the email on lore?
>> > 
>> > Sorry, I was on a plane with no connectivity to look it up, here's the
>> > AI review for my patch:
>> > 	https://sashiko.dev/#/patchset/2026041408-grill-mahogany-d1e3%40gregkh
>> > 
>> 
>> Ah.  Very good.  That's fair enough then.  The AI is very convincing.
>
>Yes, but is it correct?  That's the problem with these tools :)
>

Hi Greg, Dan,
I have reviewed this patch. While it successfully prevents the oob 
write, it unfortunately introduces a functional regression. By 
enforcing if (pIE->length > sizeof(pmlmeinfo->HT_caps)) and returning 
early, the driver bypasses setting pmlmeinfo->HT_caps_enable = 1;. If 
future 802.11 standards (or non-standard vendors) append extra bytes 
to the ht capability ie, completely discarding the ie will silently 
disable high throughput mode and degrade performance. To fix the oob 
write without breaking functionality, a better approach would be using
min_t() to cap the length and only process the valid portion.
Separately, while auditing this path, I noticed two pre-existing oob 
read vulnerabilities:
1. The GET_HT_CAPABILITY_ELE_RX_STBC(pIE->data) macro 
(drivers/staging/rtl8723bs/include/rtw_ht.h:81) unconditionally reads 
from pIE->data[1]. If a malicious packet provides a pIE->length of 0 
or 1, the driver will blindly read past the end of the ie's data. 
2. In OnAssocRsp() (drivers/staging/rtl8723bs/core/rtw_mlme_ext.c), 
the ie iteration loop for (i = ...; i < pkt_len;) does not verify 
if i + 2 <= pkt_len or if i + 2 + pIE->length <= pkt_len before 
invoking handlers. Therefore, pIE->data isn't guaranteed to be bounded
within the received packet buffer, allowing oob reads simply by 
overflowing pkt_len from the air.
I recommend revising this patch to use min_t() to avoid the ht mode 
regression. Since the oob reads are pre-existing issues outside the 
scope of fixing this oob write, they should be addressed in separate 
patches, which I am happy to submit :).
Best regards,
Luka Gejak