summaryrefslogtreecommitdiff
path: root/rust/zerocopy/git@git.tavy.me:linux-stable.git
diff options
context:
space:
mode:
authorAlexandru Hossu <hossu.alexandru@gmail.com>2026-05-22 02:45:28 +0200
committerGreg Kroah-Hartman <gregkh@linuxfoundation.org>2026-07-07 13:43:19 +0200
commitf8001e1a516ba3b495728c65b61f799cbfad6bd0 (patch)
tree54c80843cfdce311b435e7c7164f4dc22042fd88 /rust/zerocopy/git@git.tavy.me:linux-stable.git
parent5a752a616e756844388a1a45404db9fc29fec655 (diff)
staging: rtl8723bs: fix OOB write in HT_caps_handler()
HT_caps_handler() iterates pIE->length bytes and writes into HT_caps.u.HT_cap[], which is a fixed 26-byte array (sizeof struct HT_caps_element). Because pIE->length is a raw u8 from an over-the-air 802.11 AssocResponse frame and is never validated, a malicious AP can set it up to 255, causing up to 229 bytes of out-of-bounds writes into adjacent fields of struct mlme_ext_info. Truncate the iteration count to the size of HT_caps.u.HT_cap using umin() so that data from a longer-than-expected IE is silently ignored rather than written out of bounds, preserving interoperability with APs that pad the element. An early return on oversized IEs was considered but rejected: it would bypass the pmlmeinfo->HT_caps_enable = 1 assignment that precedes the loop, silently disabling HT mode for APs that append extra bytes to the HT Capabilities IE. Fixes: 554c0a3abf21 ("staging: Add rtl8723bs sdio wifi driver") Cc: stable <stable@kernel.org> Signed-off-by: Alexandru Hossu <hossu.alexandru@gmail.com> Reviewed-by: Luka Gejak <luka.gejak@linux.dev> Link: https://patch.msgid.link/20260522004531.1038924-5-hossu.alexandru@gmail.com Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Diffstat (limited to 'rust/zerocopy/git@git.tavy.me:linux-stable.git')
0 files changed, 0 insertions, 0 deletions