Re: [PATCH 1/2] staging: rtl8723bs: fix OOB write in HT_caps_handler()
From: Greg KH
Date: Sun Apr 26 2026 - 23:56:12 EST
On Tue, Apr 21, 2026 at 04:40:17PM +0200, Luka Gejak wrote:
> On Mon Apr 20, 2026 at 4:08 PM CEST, Alexandru Hossu wrote:
> > HT_caps_handler() iterates pIE->length bytes and writes into
> > HT_caps.u.HT_cap[], which is a fixed 26-byte array (sizeof struct
> > HT_caps_element). Because pIE->length is a raw u8 from an over-the-air
> > 802.11 AssocResponse frame and is never validated, a malicious AP can set
> > it up to 255, causing up to 229 bytes of out-of-bounds writes into
> > adjacent fields of struct mlme_ext_info.
> >
> > The parallel function HT_info_handler() already carries the correct guard:
> >
> > if (pIE->length > sizeof(struct HT_info_element))
> > return;
> >
> > Apply the same pattern to HT_caps_handler().
> >
> > Signed-off-by: Alexandru Hossu <hossu.alexandru@xxxxxxxxx>
> > ---
> > drivers/staging/rtl8723bs/core/rtw_wlan_util.c | 3 +++
> > 1 file changed, 3 insertions(+)
> >
> > diff --git a/drivers/staging/rtl8723bs/core/rtw_wlan_util.c b/drivers/staging/rtl8723bs/core/rtw_wlan_util.c
> > index 6a7c09db4..b75e7f4f8 100644
> > --- a/drivers/staging/rtl8723bs/core/rtw_wlan_util.c
> > +++ b/drivers/staging/rtl8723bs/core/rtw_wlan_util.c
> > @@ -934,6 +934,9 @@ void HT_caps_handler(struct adapter *padapter, struct ndis_80211_var_ie *pIE)
> > if (phtpriv->ht_option == false)
> > return;
> >
> > + if (pIE->length > sizeof(struct HT_caps_element))
> > + return;
> > +
> > pmlmeinfo->HT_caps_enable = 1;
> >
> > for (i = 0; i < (pIE->length); i++) {
>
> Hi Alexandru,
> this fix has been made already by Greg HK therefore this patch is
> unnecessary. You can see his patch at [1].
> Best regards,
> Luka Gejak
>
> [1]: https://lore.kernel.org/linux-staging/2026041408-grill-mahogany-d1e3@gregkh/
Yeah, and we both got it wrong, if we do this, this will break things on
some systems according to the ai review bot. So we need to just
truncate the data, not abort.
Alexandru, want to fix this up in your version and send it? If so, I'll
drop mine.
thanks,
greg k-h