summaryrefslogtreecommitdiff
path: root/include/linux/device-id/git@git.tavy.me:linux-stable.git
diff options
context:
space:
mode:
authorAlexandru Hossu <hossu.alexandru@gmail.com>2026-05-22 02:45:25 +0200
committerGreg Kroah-Hartman <gregkh@linuxfoundation.org>2026-07-07 13:43:10 +0200
commited51de4a86e173c3b0ef78e039c2e49e08b11f16 (patch)
tree9fd90060e19c09582d98c316085525b77a90804a /include/linux/device-id/git@git.tavy.me:linux-stable.git
parenta1fc19d61f661d47204f095b593de507884849f7 (diff)
staging: rtl8723bs: fix OOB read in update_beacon_info() IE loop
The IE parsing loop in update_beacon_info() advances by (pIE->length + 2) each iteration but only guards on i < len. When a malicious AP sends a Beacon whose last IE has only one byte remaining in the frame (the element_id byte lands at len-1), the loop reads pIE->length from one byte past the allocated receive buffer. Additionally, even when the header bytes are in bounds, pIE->length itself can extend the data window beyond len, passing a truncated IE to the handler functions. Add two guards at the top of the loop body: 1. Break if fewer than sizeof(*pIE) bytes remain (can't read header). 2. Break if the IE's declared data extends past len. Also replace i += (pIE->length + 2) with i += sizeof(*pIE) + pIE->length for consistency with the sizeof(*pIE) guards added above. Fixes: 554c0a3abf21 ("staging: Add rtl8723bs sdio wifi driver") Cc: stable <stable@kernel.org> Reviewed-by: Luka Gejak <luka.gejak@linux.dev> Signed-off-by: Alexandru Hossu <hossu.alexandru@gmail.com> Link: https://patch.msgid.link/20260522004531.1038924-2-hossu.alexandru@gmail.com Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Diffstat (limited to 'include/linux/device-id/git@git.tavy.me:linux-stable.git')
0 files changed, 0 insertions, 0 deletions