]> git.ipfire.org Git - thirdparty/kernel/linux.git/commit
staging: rtl8723bs: fix OOB read in OnAssocRsp() IE loop
authorAlexandru Hossu <hossu.alexandru@gmail.com>
Fri, 22 May 2026 00:45:29 +0000 (02:45 +0200)
committerGreg Kroah-Hartman <gregkh@linuxfoundation.org>
Tue, 7 Jul 2026 11:43:22 +0000 (13:43 +0200)
commitf9654207e92283e0acac5d64fe5f8835383b5a23
tree9f0f8ae90d646446bb0e289c80b0d083bf9fd0c9
parentf8001e1a516ba3b495728c65b61f799cbfad6bd0
staging: rtl8723bs: fix OOB read in OnAssocRsp() IE loop

The IE parsing loop in OnAssocRsp() advances by (pIE->length + 2) each
iteration but only guards on i < pkt_len. When a malicious AP sends an
AssocResponse whose last IE has only one byte remaining in the frame
(the element_id byte lands at pkt_len-1), the loop reads pIE->length
from pframe[pkt_len], which is one byte past the allocated receive buffer.

Additionally, even when the header bytes are in bounds, pIE->length
itself can extend the data window beyond pkt_len, silently passing a
truncated IE to the handler functions.

Add two guards at the top of the loop body:
  1. Break if fewer than sizeof(*pIE) bytes remain (can't read header).
  2. Break if the IE's declared data extends past pkt_len.

Fixes: 554c0a3abf21 ("staging: Add rtl8723bs sdio wifi driver")
Cc: stable <stable@kernel.org>
Signed-off-by: Alexandru Hossu <hossu.alexandru@gmail.com>
Reviewed-by: Luka Gejak <luka.gejak@linux.dev>
Link: https://patch.msgid.link/20260522004531.1038924-6-hossu.alexandru@gmail.com
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
drivers/staging/rtl8723bs/core/rtw_mlme_ext.c