Re: [PATCH] staging: rtl8723bs: properly validate the data in rtw_get_ie_ex()

[Greg Kroah-Hartman]

On Mon, Feb 23, 2026 at 08:53:54PM +0530, Navaneeth K wrote:
> I don't have the physical RTL8723BS hardware on hand anymore to test a live
> connection, but I was able to verify your logic thoroughly in user-space.
> To be absolutely sure, I extracted both the old and patched functions into a
> standalone C harness and ran them through Asan and AFL++.
> Feeding a crafted 5-byte allocation(with a lying length byte) to the old
> code predictably triggered a 47-byte heap-buffer-overflow right at the
> memcpy.
> Against your patched code, I ran that same payload along with 20 other
> edge-case tests (1-byte buffers, empty bodies, OUI boundary mismatches,
> etc.). It cleanly rejected all of them with zero ASan errors.
> I also compiled the patched function as an AFL++ target and let it freely
> mutate the EID, length, and body bytes. After over 100,000 executions, it
> reported 0 crashes and 0 hangs.
> The logic is definitely solid. Changing the loop guard to "while (cnt + 2 <=
> in_len)" guarantees we always have at least 2 bytes before we touch the EID
> and length. Reading ie_len once and explicitly checking if it exceeds in_len
> completely stops the memcpy from reading past the end of the allocation.
> 
> I have the raw ASan logs, AFL stats, and the C test harnesses saved if
> needed!.
> 
> Tested-by: Navaneeth K <knavaneeth786@xxxxxxxxx>
> Reviewed-by: Navaneeth K <knavaneeth786@xxxxxxxxx>

Wow, that's way more than I expected, thank you!  Raw logs and test
harness is not needed, I'll trust you, worst case, we revert it if
someone complains it breaks their device :)

thanks,

greg k-h