Re: [PATCH v2 1/2] staging: rtl8723bs: fix OOB write in HT_caps_handler()

Next message: Furkan Caliskan: "[PATCH] sched/deadline: Fix stale comment above yield_task_dl()"
Previous message: Tarang Raval: "Re: [PATCH v2 00/15] media: i2c: os05b10: Refactor driver and Add new features"
In reply to: Alexandru Hossu: "[PATCH v2 1/2] staging: rtl8723bs: fix OOB write in HT_caps_handler()"
Next in thread: Alexandru Hossu: "Re: [PATCH v2 1/2] staging: rtl8723bs: fix OOB write in HT_caps_handler()"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

From: Dan Carpenter

Date: Mon Apr 27 2026 - 05:25:39 EST

On Mon, Apr 27, 2026 at 10:17:47AM +0200, Alexandru Hossu wrote:
> HT_caps_handler() iterates pIE->length bytes and writes into
> HT_caps.u.HT_cap[], which is a fixed 26-byte array (sizeof struct
> HT_caps_element). Because pIE->length is a raw u8 from an over-the-air
> 802.11 AssocResponse frame and is never validated, a malicious AP can set
> it up to 255, causing up to 229 bytes of out-of-bounds writes into
> adjacent fields of struct mlme_ext_info.
>
> Truncate the iteration count to the size of HT_caps.u.HT_cap using
> min_t() so that data from a longer-than-expected IE is silently ignored
> rather than written out of bounds, preserving interoperability with APs
> that pad the element.
>
> Fixes: 554c0a3abf21 ("staging: Add rtl8723bs sdio wifi driver")
> Cc: stable@xxxxxxxxxxxxxxx
> Signed-off-by: Alexandru Hossu <hossu.alexandru@xxxxxxxxx>
> ---

We need a little change log here. I was hoping you would provide
a link to the AI review in the changelog.

I feel like the AI review is probabl wrong. In this case the
original code corrupted memory so the code didn't "work" before, it
corrupted memory. But I'm interested to see the AI review.

regards,
dan carpenter