[PATCH 5.15.y] staging: rtl8723bs: fix out-of-bounds read in rtw_get_ie() parser
From: Johnny Hao
Date: Sun Mar 29 2026 - 23:13:00 EST
From: Navaneeth K <knavaneeth786@xxxxxxxxx>
[ Upstream commit 154828bf9559b9c8421fc2f0d7f7f76b3683aaed ]
The Information Element (IE) parser rtw_get_ie() trusted the length
byte of each IE without validating that the IE body (len bytes after
the 2-byte header) fits inside the remaining frame buffer. A malformed
frame can advertise an IE length larger than the available data, causing
the parser to increment its pointer beyond the buffer end. This results
in out-of-bounds reads or, depending on the pattern, an infinite loop.
Fix by validating that (offset + 2 + len) does not exceed the limit
before accepting the IE or advancing to the next element.
This prevents OOB reads and ensures the parser terminates safely on
malformed frames.
Signed-off-by: Navaneeth K <knavaneeth786@xxxxxxxxx>
Cc: stable <stable@xxxxxxxxxx>
Signed-off-by: Greg Kroah-Hartman <gregkh@xxxxxxxxxxxxxxxxxxx>
[ The context change is due to the commit 4610e57a7d2e
("staging: rtl8723bs: Remove redundant else branches.") in v5.19
which is irrelevant to the logic of this patch. ]
Signed-off-by: Johnny Hao <johnny_haocn@xxxxxxxx>
---
drivers/staging/rtl8723bs/core/rtw_ieee80211.c | 13 +++++++------
1 file changed, 7 insertions(+), 6 deletions(-)
diff --git a/drivers/staging/rtl8723bs/core/rtw_ieee80211.c b/drivers/staging/rtl8723bs/core/rtw_ieee80211.c
index b449be537376..fad2004ec59b 100644
--- a/drivers/staging/rtl8723bs/core/rtw_ieee80211.c
+++ b/drivers/staging/rtl8723bs/core/rtw_ieee80211.c
@@ -141,23 +141,24 @@ u8 *rtw_get_ie(u8 *pbuf, signed int index, signed int *len, signed int limit)
signed int tmp, i;
u8 *p;
- if (limit < 1)
+ if (limit < 2)
return NULL;
p = pbuf;
i = 0;
*len = 0;
- while (1) {
+ while (i + 2 <= limit) {
+ tmp = *(p + 1);
+ if (i + 2 + tmp > limit)
+ break;
+
if (*p == index) {
- *len = *(p + 1);
+ *len = tmp;
return p;
} else {
- tmp = *(p + 1);
p += (tmp + 2);
i += (tmp + 2);
}
- if (i >= limit)
- break;
}
return NULL;
}
--
2.34.1