Re: [PATCH 1/1] staging: rtl8723bs: fix potential out-of-bounds read in rtw_restruct_wmm_ie

Next message: Kathiravan Thirumoorthy: "[PATCH v7 3/5] dt-bindings: watchdog: qcom-wdt: Document sram property"
Previous message: Haibo Chen: "[PATCH v2 2/2] arm64: dts: imx952-evk: add MT35XU01G spi nor flash"
In reply to: luka . gejak: "[PATCH 1/1] staging: rtl8723bs: fix potential out-of-bounds read in rtw_restruct_wmm_ie"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

From: Dan Carpenter

Date: Wed Feb 25 2026 - 01:47:28 EST

On Tue, Feb 24, 2026 at 02:26:47PM +0100, luka.gejak@xxxxxxxxx wrote:
> From: Luka Gejak <luka.gejak@xxxxxxxxx>
>
> The current code checks 'i + 5 < in_len' at the end of the if statement.
> However, it accesses 'in_ie[i + 5]' before that check, which can lead
> to an out-of-bounds read. Move the length check to the beginning of the
> conditional to ensure the index is within bounds before accessing the
> array.
>
> Fixes: 554c0a3abf21 ("staging: Add rtl8723bs sdio wifi driver")
> Cc: stable@xxxxxxxxxxxxxxx
> Signed-off-by: Luka Gejak <luka.gejak@xxxxxxxxx>
> ---

This really should have a note here which says:

v4: Sent this patch previously as part of a patchset, but pulled it
out by itself because it's a bugfix and the rest of the patchset
was cleanups.

Otherwise, it's like I remember that I have seen something like this
before but I don't know why I'm seeing this now. I thought maybe it
was the same bug in a different driver or something so I had to look
it up on lore.

Anyway, looks good otherwise.

Reviewed-by: Dan Carpenter <dan.carpenter@xxxxxxxxxx>

regards,
dan carpenter