staging: rtl8723bs: rtw_mlme: add bounds checks before ie_length subtraction

Add guards to ensure ie_length is large enough before subtracting
fixed IE offsets to prevent unsigned integer underflow.

Fixes: 2038fe84b8bd ("staging: rtl8723bs: fix spacing around operators")
Fixes: d3fcee1b78a5 ("staging: rtl8723bs: fix camel case in struct wlan_bssid_ex")
Closes: https://lore.kernel.org/linux-staging/DI2H39EAAFBZ.3KI5NWN02AQ2S@linux.dev/
Cc: stable <stable@kernel.org>
Signed-off-by: Salman Alghamdi <me@cipherat.com>
Reviewed-by: Luka Gejak <luka.gejak@linux.dev>
Link: https://patch.msgid.link/20260513203455.31792-1-me@cipherat.com
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

diff --git a/drivers/staging/rtl8723bs/core/rtw_mlme.c b/drivers/staging/rtl8723bs/core/rtw_mlme.c
index 268f294528e6a95ff484aa3256977ba9f230af29..9f21a2226dbd69afc1ddc25715f46c0220d2b6d4 100644 (file)
--- a/drivers/staging/rtl8723bs/core/rtw_mlme.c
+++ b/drivers/staging/rtl8723bs/core/rtw_mlme.c
@@ -604,6 +604,8 @@ static bool rtw_is_desired_network(struct adapter *adapter, struct wlan_network
        privacy = pnetwork->network.privacy;
 
        if (check_fwstate(pmlmepriv, WIFI_UNDER_WPS)) {
+               if (pnetwork->network.ie_length < _FIXED_IE_LENGTH_)
+                       return false;
                if (rtw_get_wps_ie(pnetwork->network.ies + _FIXED_IE_LENGTH_, pnetwork->network.ie_length - _FIXED_IE_LENGTH_, NULL, &wps_ielen))
                        return true;
                else
@@ -617,11 +619,15 @@ static bool rtw_is_desired_network(struct adapter *adapter, struct wlan_network
                        bselected = false;
 
                if (psecuritypriv->ndisauthtype == Ndis802_11AuthModeWPA2PSK) {
-                       p = rtw_get_ie(pnetwork->network.ies + _BEACON_IE_OFFSET_, WLAN_EID_RSN, &ie_len, (pnetwork->network.ie_length - _BEACON_IE_OFFSET_));
-                       if (p && ie_len > 0)
-                               bselected = true;
-                       else
+                       if (pnetwork->network.ie_length < _BEACON_IE_OFFSET_) {
                                bselected = false;
+                       } else {
+                               p = rtw_get_ie(pnetwork->network.ies + _BEACON_IE_OFFSET_, WLAN_EID_RSN, &ie_len, (pnetwork->network.ie_length - _BEACON_IE_OFFSET_));
+                               if (p && ie_len > 0)
+                                       bselected = true;
+                               else
+                                       bselected = false;
+                       }
                }
        }