[PATCH 2/2] staging: rtl8723bs: bound SUPP_RATES IE length in rtw_check_beacon_data
From: Shayaun Nejad
Date: Mon May 11 2026 - 21:47:15 EST
rtw_check_beacon_data() copies SUPP_RATES and EXT_SUPP_RATES IE
payloads into a 16-byte support_rate[] buffer.
The IE lengths are used directly, so oversized rate IEs can overflow the
stack buffer.
Clamp the supported rates copy and the combined extended supported rates
copy to NDIS_802_11_LENGTH_RATES_EX.
Fixes: 554c0a3abf21 ("staging: Add rtl8723bs sdio wifi driver")
Cc: stable@xxxxxxxxxxxxxxx
Signed-off-by: Shayaun Nejad <snejad123@xxxxxxxxx>
---
drivers/staging/rtl8723bs/core/rtw_ap.c | 6 +++++-
1 file changed, 5 insertions(+), 1 deletion(-)
diff --git a/drivers/staging/rtl8723bs/core/rtw_ap.c b/drivers/staging/rtl8723bs/core/rtw_ap.c
index 4b40124110..363ecb02b5 100644
--- a/drivers/staging/rtl8723bs/core/rtw_ap.c
+++ b/drivers/staging/rtl8723bs/core/rtw_ap.c
@@ -873,6 +873,7 @@ int rtw_check_beacon_data(struct adapter *padapter, u8 *pbuf, int len)
&ie_len,
(pbss_network->ie_length - _BEACON_IE_OFFSET_));
if (p) {
+ ie_len = min_t(uint, ie_len, NDIS_802_11_LENGTH_RATES_EX);
memcpy(support_rate, p + 2, ie_len);
support_rate_num = ie_len;
}
@@ -882,8 +883,11 @@ int rtw_check_beacon_data(struct adapter *padapter, u8 *pbuf, int len)
WLAN_EID_EXT_SUPP_RATES,
&ie_len,
pbss_network->ie_length - _BEACON_IE_OFFSET_);
- if (p)
+ if (p && support_rate_num < NDIS_802_11_LENGTH_RATES_EX) {
+ ie_len = min_t(uint, ie_len,
+ NDIS_802_11_LENGTH_RATES_EX - support_rate_num);
memcpy(support_rate + support_rate_num, p + 2, ie_len);
+ }
network_type = rtw_check_network_type(support_rate, channel);
--
2.43.0