[PATCH v4 1/2] staging: rtl8723bs: fix OOB write and read in HT_caps_handler()

[Alexandru Hossu]

HT_caps_handler() iterates over pIE->length bytes and writes into
HT_caps.u.HT_cap[], a fixed array of sizeof(struct HT_caps_element)
bytes.  pIE->length is a raw u8 from an over-the-air 802.11
Association Response frame and is never validated before the loop.  A
malicious AP can set it to 255, writing up to 229 bytes past the end
of the array into adjacent fields of struct mlme_ext_info.

Additionally, after the loop the function calls three macros that
unconditionally read pIE->data[0] and pIE->data[1]:

  GET_HT_CAPABILITY_ELE_LDPC_CAP(pIE->data)  -- reads data[0], bit 0
  GET_HT_CAPABILITY_ELE_TX_STBC(pIE->data)   -- reads data[0], bit 7
  GET_HT_CAPABILITY_ELE_RX_STBC(pIE->data)   -- reads data[1], bits 0-1

If a malicious AP sends an HT Capabilities IE with pIE->length less
than 2, both bytes the macros need are outside the IE payload,
causing an out-of-bounds read.

Fix both issues:
  - Set HT_caps_enable = 1 first so HT negotiation is not regressed.
  - Return early if pIE->length < 2 to protect the macro reads.
  - Use umin() in the loop to bound the write side.

The parallel HT_info_handler() already guards against oversized IEs.
This patch applies the same discipline to HT_caps_handler().

Fixes: 554c0a3abf21 ("staging: Add rtl8723bs sdio wifi driver")
Cc: stable@xxxxxxxxxxxxxxx
Signed-off-by: Alexandru Hossu <hossu.alexandru@xxxxxxxxx>
---
Changes in v4:
  - Add pIE->length < 2 guard after HT_caps_enable = 1 to prevent OOB
    reads from GET_HT_CAPABILITY_ELE_LDPC_CAP/TX_STBC/RX_STBC macros
    that access pIE->data[0] and pIE->data[1] unconditionally.
    Caught by sashiko review of v3.
  - Use umin() in the loop bound to cap writes at
    sizeof(HT_caps.u.HT_cap) without bypassing HT_caps_enable.

Changes in v3:
  - Switch from min_t() to umin() (Dan Carpenter).
  - Keep truncation approach rather than early return so HT_caps_enable
    is always set before the length check (Luka Gejak, AI review).

Changes in v2:
  - Replace early return before HT_caps_enable = 1 with umin()
    truncation so HT mode is not disabled for APs with oversized IEs.

 drivers/staging/rtl8723bs/core/rtw_wlan_util.c | 6 +++++-
 1 file changed, 5 insertions(+), 1 deletion(-)

diff --git a/drivers/staging/rtl8723bs/core/rtw_wlan_util.c b/drivers/staging/rtl8723bs/core/rtw_wlan_util.c
index 6a7c09db4cd9..98aa50357e96 100644
--- a/drivers/staging/rtl8723bs/core/rtw_wlan_util.c
+++ b/drivers/staging/rtl8723bs/core/rtw_wlan_util.c
@@ -936,7 +936,11 @@ void HT_caps_handler(struct adapter *padapter, struct ndis_80211_var_ie *pIE)
 
 	pmlmeinfo->HT_caps_enable = 1;
 
-	for (i = 0; i < (pIE->length); i++) {
+	if (pIE->length < 2)
+		return;
+
+	for (i = 0; i < umin(pIE->length,
+			     sizeof(pmlmeinfo->HT_caps.u.HT_cap)); i++) {
 		if (i != 2) {
 			/* Commented by Albert 2010/07/12 */
 			/* Got the endian issue here. */
-- 
2.53.0