Re: [PATCH v2] staging: rtl8723bs: fix OOB read in update_beacon_info() IE loop

Next message: Jesung Yang: "Re: [PATCH v4 1/2] scripts: generate_rust_analyzer.py: add versioning infrastructure"
Previous message: Akiyoshi Kurita: "[PATCH v2] docs/ja_JP: translate more of submitting-patches.rst"
In reply to: Alexandru Hossu: "[PATCH v2] staging: rtl8723bs: fix OOB read in update_beacon_info() IE loop"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

From: Dan Carpenter

Date: Sat Apr 25 2026 - 08:12:10 EST

On Sat, Apr 25, 2026 at 01:59:36PM +0200, Alexandru Hossu wrote:
> The IE parsing loop in update_beacon_info() advances by
> (pIE->length + 2) each iteration but only guards on i < len.
> When a malicious AP sends a Beacon whose last IE has only one byte
> remaining in the frame (the element_id byte lands at len-1), the loop
> reads pIE->length from one byte past the allocated receive buffer.
>
> Additionally, even when the header bytes are in bounds, pIE->length
> itself can extend the data window beyond len, passing a truncated IE
> to the handler functions.
>
> Add two guards at the top of the loop body:
> 1. Break if fewer than sizeof(*pIE) bytes remain (can't read header).
> 2. Break if the IE's declared data extends past len.
>
> Also replace i += (pIE->length + 2) with i += sizeof(*pIE) + pIE->length
> for consistency with the sizeof(*pIE) guards added above.
>
> Signed-off-by: Alexandru Hossu <hossu.alexandru@xxxxxxxxx>
> ---
> v2: Replace i += (pIE->length + 2) with i += sizeof(*pIE) + pIE->length
> for consistency with the sizeof(*pIE) guards (Dan Carpenter).

Please wait a day between resends and resend the whole series.

regards,
dan carpenter