Re: [PATCH 0/5] staging: rtl8723bs: fix multiple OOB reads in IE and frame parsing

From: Greg Kroah-Hartman

Date: Sun Jul 19 2026 - 01:19:10 EST


On Sat, Jul 18, 2026 at 11:54:40PM +0500, Muhammad Bilal wrote:
> This series fixes five out-of-bounds read and buffer overflow bugs
> in the rtl8723bs staging driver where length or offset fields from
> untrusted wireless frames are used without validating that enough
> bytes remain in the buffer.
>
> Patches 1-4 are reachable remotely through crafted management frames
> (beacons, probe responses, scan results). Patch 5 is reachable
> locally via raw frame injection on a monitor-mode interface.
>
> Impact:
>
> 1/5 OOB read of IE length byte and OUI data in rtw_get_wps_ie()
> 2/5 OOB read plus stack buffer overflow via attacker-controlled
> memcpy length in rtw_get_wps_attr()
> 3/5 OOB read of action frame category and action bytes
> 4/5 OOB read of next-IE length in the non-matching fallthrough path
> 5/5 skb->len underflow after unchecked skb_pull in monitor TX path
>
> All fixes are single-hunk bounds checks following the same pattern
> already used in the sibling functions in these files.
>
> Tested: CONFIG_RTL8723BS=m with CONFIG_KASAN=y, checkpatch clean.

How did you find these, and how were they tested? Do you have this
hardware?

thanks,

greg k-h