Re: [PATCH 1/2] staging: rtl8723bs: fix OOB write in HT_caps_handler()
From: Luka Gejak
Date: Tue Apr 21 2026 - 10:46:09 EST
On Mon Apr 20, 2026 at 4:08 PM CEST, Alexandru Hossu wrote:
> HT_caps_handler() iterates pIE->length bytes and writes into
> HT_caps.u.HT_cap[], which is a fixed 26-byte array (sizeof struct
> HT_caps_element). Because pIE->length is a raw u8 from an over-the-air
> 802.11 AssocResponse frame and is never validated, a malicious AP can set
> it up to 255, causing up to 229 bytes of out-of-bounds writes into
> adjacent fields of struct mlme_ext_info.
>
> The parallel function HT_info_handler() already carries the correct guard:
>
> if (pIE->length > sizeof(struct HT_info_element))
> return;
>
> Apply the same pattern to HT_caps_handler().
>
> Signed-off-by: Alexandru Hossu <hossu.alexandru@xxxxxxxxx>
> ---
> drivers/staging/rtl8723bs/core/rtw_wlan_util.c | 3 +++
> 1 file changed, 3 insertions(+)
>
> diff --git a/drivers/staging/rtl8723bs/core/rtw_wlan_util.c b/drivers/staging/rtl8723bs/core/rtw_wlan_util.c
> index 6a7c09db4..b75e7f4f8 100644
> --- a/drivers/staging/rtl8723bs/core/rtw_wlan_util.c
> +++ b/drivers/staging/rtl8723bs/core/rtw_wlan_util.c
> @@ -934,6 +934,9 @@ void HT_caps_handler(struct adapter *padapter, struct ndis_80211_var_ie *pIE)
> if (phtpriv->ht_option == false)
> return;
>
> + if (pIE->length > sizeof(struct HT_caps_element))
> + return;
> +
> pmlmeinfo->HT_caps_enable = 1;
>
> for (i = 0; i < (pIE->length); i++) {
Hi Alexandru,
this fix has been made already by Greg HK therefore this patch is
unnecessary. You can see his patch at [1].
Best regards,
Luka Gejak
[1]: https://lore.kernel.org/linux-staging/2026041408-grill-mahogany-d1e3@gregkh/