staging: rtl8723bs: properly validate the data in rtw_get_ie_ex()

Just like in commit 154828bf9559 ("staging: rtl8723bs: fix out-of-bounds
read in rtw_get_ie() parser"), we don't trust the data in the frame so
we should check the length better before acting on it

Cc: stable <stable@kernel.org>
Assisted-by: gkh_clanker_2000
Tested-by: Navaneeth K <knavaneeth786@gmail.com>
Reviewed-by: Navaneeth K <knavaneeth786@gmail.com>
Link: https://patch.msgid.link/2026022336-arrange-footwork-6e54@gregkh
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

diff --git a/drivers/staging/rtl8723bs/core/rtw_ieee80211.c b/drivers/staging/rtl8723bs/core/rtw_ieee80211.c
index 6cf217e21593b71c1759ffaf9c6faf80b8eba441..3e2b5e6b07f93f2501c7fa5f84b3370098a0769b 100644 (file)
--- a/drivers/staging/rtl8723bs/core/rtw_ieee80211.c
+++ b/drivers/staging/rtl8723bs/core/rtw_ieee80211.c
@@ -186,20 +186,25 @@ u8 *rtw_get_ie_ex(u8 *in_ie, uint in_len, u8 eid, u8 *oui, u8 oui_len, u8 *ie, u
 
        cnt = 0;
 
-       while (cnt < in_len) {
+       while (cnt + 2 <= in_len) {
+               u8 ie_len = in_ie[cnt + 1];
+
+               if (cnt + 2 + ie_len > in_len)
+                       break;
+
                if (eid == in_ie[cnt]
-                       && (!oui || !memcmp(&in_ie[cnt+2], oui, oui_len))) {
+                       && (!oui || (ie_len >= oui_len && !memcmp(&in_ie[cnt + 2], oui, oui_len)))) {
                        target_ie = &in_ie[cnt];
 
                        if (ie)
-                               memcpy(ie, &in_ie[cnt], in_ie[cnt+1]+2);
+                               memcpy(ie, &in_ie[cnt], ie_len + 2);
 
                        if (ielen)
-                               *ielen = in_ie[cnt+1]+2;
+                               *ielen = ie_len + 2;
 
                        break;
                }
-               cnt += in_ie[cnt+1]+2; /* goto next */
+               cnt += ie_len + 2; /* goto next */
        }
 
        return target_ie;