[PATCH 1/2] staging: rtl8723bs: fix OOB write in HT_caps_handler()

Next message: David Howells: "[PATCH net 4/4] rxrpc: Fix rxkad crypto unalignment handling"
Previous message: David CARLIER: "Re: [PATCH 0/7] iio: dac: Convert several drivers to devm_mutex_init()"
In reply to: Luka Gejak: "Re: [PATCH 1/2] staging: rtl8723bs: fix OOB write in HT_caps_handler()"
Next in thread: Alexandru Hossu: "Re: [PATCH 1/2] staging: rtl8723bs: fix OOB write in HT_caps_handler()"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

From: Alexandru Hossu

Date: Mon Apr 20 2026 - 11:22:40 EST

From: Alexandru Hossu <a.hossu@xxxxxxxxxxxxxxxxxx>

HT_caps_handler() iterates pIE->length bytes and writes into
HT_caps.u.HT_cap[], which is a fixed 26-byte array (sizeof struct
HT_caps_element). Because pIE->length is a raw u8 from an over-the-air
802.11 AssocResponse frame and is never validated, a malicious AP can set
it up to 255, causing up to 229 bytes of out-of-bounds writes into
adjacent fields of struct mlme_ext_info.

The parallel function HT_info_handler() already carries the correct guard:

if (pIE->length > sizeof(struct HT_info_element))
return;

Apply the same pattern to HT_caps_handler().

Signed-off-by: Alexandru Hossu <a.hossu@xxxxxxxxxxxxxxxxxx>
---
drivers/staging/rtl8723bs/core/rtw_wlan_util.c | 3 +++
1 file changed, 3 insertions(+)

diff --git a/drivers/staging/rtl8723bs/core/rtw_wlan_util.c b/drivers/staging/rtl8723bs/core/rtw_wlan_util.c
index 6a7c09db4..b75e7f4f8 100644
--- a/drivers/staging/rtl8723bs/core/rtw_wlan_util.c
+++ b/drivers/staging/rtl8723bs/core/rtw_wlan_util.c
@@ -934,6 +934,9 @@ void HT_caps_handler(struct adapter *padapter, struct ndis_80211_var_ie *pIE)
if (phtpriv->ht_option == false)
return;

+ if (pIE->length > sizeof(struct HT_caps_element))
+ return;
+
pmlmeinfo->HT_caps_enable = 1;

for (i = 0; i < (pIE->length); i++) {
--
2.53.0