staging: rtl8723bs: fix potential out-of-bounds read in rtw_restruct_wmm_ie

The current code checks 'i + 5 < in_len' at the end of the if statement.
However, it accesses 'in_ie[i + 5]' before that check, which can lead
to an out-of-bounds read. Move the length check to the beginning of the
conditional to ensure the index is within bounds before accessing the
array.

Fixes: 554c0a3abf21 ("staging: Add rtl8723bs sdio wifi driver")
Cc: stable <stable@kernel.org>
Signed-off-by: Luka Gejak <luka.gejak@linux.dev>
Reviewed-by: Dan Carpenter <dan.carpenter@linaro.org>
Link: https://patch.msgid.link/20260224132647.11642-2-luka.gejak@linux.dev
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

diff --git a/drivers/staging/rtl8723bs/core/rtw_mlme.c b/drivers/staging/rtl8723bs/core/rtw_mlme.c
index 7df65170838174c91db6493adb935e986f2a4534..1ef48bf6581c473856065bb8c44443c85c7302b6 100644 (file)
--- a/drivers/staging/rtl8723bs/core/rtw_mlme.c
+++ b/drivers/staging/rtl8723bs/core/rtw_mlme.c
@@ -1988,7 +1988,10 @@ int rtw_restruct_wmm_ie(struct adapter *adapter, u8 *in_ie, u8 *out_ie, uint in_
        while (i < in_len) {
                ielength = initial_out_len;
 
-               if (in_ie[i] == 0xDD && in_ie[i + 2] == 0x00 && in_ie[i + 3] == 0x50  && in_ie[i + 4] == 0xF2 && in_ie[i + 5] == 0x02 && i + 5 < in_len) { /* WMM element ID and OUI */
+               if (i + 5 < in_len &&
+                   in_ie[i] == 0xDD && in_ie[i + 2] == 0x00 &&
+                   in_ie[i + 3] == 0x50 && in_ie[i + 4] == 0xF2 &&
+                   in_ie[i + 5] == 0x02) {
                        for (j = i; j < i + 9; j++) {
                                out_ie[ielength] = in_ie[j];
                                ielength++;