[PATCH v5 0/3] staging: rtl8723bs: fix OOB reads and heap overflow in IE parsing

[Alexandru Hossu]

v5, addressing the sashiko review comments on v4.

This series builds on the fixes already applied to your tree:

  83255a78cc46 ("staging: rtl8723bs: fix OOB reads in IE loops in issue_assocreq() and join_cmd_hdl()")
  96bcf0a58df3 ("staging: rtl8723bs: fix OOB read in update_beacon_info() IE loop")
  92f3954ca9e9 ("staging: rtl8723bs: fix heap buffer overflow in rtw_cfg80211_set_wpa_ie()")

Patch 1/3 adds the remaining three fixes for update_beacon_info() and
bwmode_update_check():
  - An unsigned underflow guard for the pkt_len subtraction.
  - The WMM condition is reordered so pIE->length == WLAN_WMM_LEN is
    checked before memcmp(pIE->data, WMM_PARA_OUI, 6) to prevent the
    6-byte read on a short IE payload.
  - bwmode_update_check() now rejects IEs that are not exactly
    sizeof(struct HT_info_element) bytes, preventing an OOB read of
    infos[0] on a zero-length IE.

Patch 2/3 adds the remaining fixes for issue_assocreq() and
join_cmd_hdl():
  - A pIE->length >= 4 guard before the 4-byte OUI memcmps in
    issue_assocreq()'s vendor-specific case.
  - In the WPS truncation path of issue_assocreq(), if pIE->length < 14,
    the IE is skipped rather than passing vs_ie_length = 14 to rtw_set_ie()
    with a shorter payload, which would cause an OOB read.
  - A minimum length check and sizeof() fix for the HT Capability IE in
    issue_assocreq().
  - The WMM guard in join_cmd_hdl() is strengthened from pIE->length >= 4
    to pIE->length >= WLAN_WMM_LEN (24): WMM_param_handler() reads
    pIE->data + 6 and copies sizeof(struct WMM_para_element) = 18 bytes,
    so a minimum of 24 bytes is required, not 4.
  - A minimum length check before casting pIE->data to
    struct HT_info_element * in join_cmd_hdl().
  - i += changed to sizeof(*pIE) + pIE->length in both loops for
    consistency with the header bounds guards.

Patch 3/3 adds the remaining fixes for rtw_get_wps_ie():
  - Header bounds check: break if fewer than 2 bytes remain for the
    element_id + length fields.
  - Payload bounds check: break if the declared IE payload extends past
    in_len.
  - OUI length guard: in_ie[cnt + 1] >= 4 before the 4-byte WPS OUI
    memcmp.

What changed in v5:

Patch 2 (issue_assocreq, join_cmd_hdl):
  - In the WPS truncation path, v4 set vs_ie_length = 14 and called
    rtw_set_ie() with pIE->data even when pIE->length < 14, reading up
    to (14 - pIE->length) bytes past the IE payload.  Fixed by breaking
    out of the switch when pIE->length < 14 (sashiko review of v4).
  - The WMM guard in join_cmd_hdl() was pIE->length >= 4, sufficient
    for the OUI check but not for WMM_param_handler(), which reads
    pIE->data + 6 and copies 18 bytes (total 24).  Strengthened to
    pIE->length >= WLAN_WMM_LEN (sashiko review of v4).

Alexandru Hossu (3):
  staging: rtl8723bs: fix OOB reads in update_beacon_info() and
    bwmode_update_check()
  staging: rtl8723bs: fix OOB reads in IE loops in issue_assocreq() and
    join_cmd_hdl()
  staging: rtl8723bs: fix OOB reads in rtw_get_wps_ie()

 drivers/staging/rtl8723bs/core/rtw_ieee80211.c |  9 ++++++++-
 drivers/staging/rtl8723bs/core/rtw_mlme_ext.c  | 26 ++++++++++++++++++--------
 drivers/staging/rtl8723bs/core/rtw_wlan_util.c |  8 ++++++--
 3 files changed, 32 insertions(+), 11 deletions(-)
--
2.53.0