Commit 154828bf authored Nov 20, 2025 by Navaneeth K Committed by Greg Kroah-Hartman Nov 27, 2025

staging: rtl8723bs: fix out-of-bounds read in rtw_get_ie() parser



The Information Element (IE) parser rtw_get_ie() trusted the length
byte of each IE without validating that the IE body (len bytes after
the 2-byte header) fits inside the remaining frame buffer. A malformed
frame can advertise an IE length larger than the available data, causing
the parser to increment its pointer beyond the buffer end. This results
in out-of-bounds reads or, depending on the pattern, an infinite loop.

Fix by validating that (offset + 2 + len) does not exceed the limit
before accepting the IE or advancing to the next element.

This prevents OOB reads and ensures the parser terminates safely on
malformed frames.

Signed-off-by: Navaneeth K <knavaneeth786@gmail.com>
Cc: stable <stable@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

parent 1520007a

drivers/staging/rtl8723bs/core/rtw_ieee80211.c

+8 −6

Original line number	Diff line number	Diff line
		@@ -138,22 +138,24 @@ u8 rtw_get_ie(u8 pbuf, signed int index, signed int *len, signed int limit)
		signed int tmp, i;
		u8 *p;

		if (limit < 1)
		if (limit < 2)
		return NULL;

		p = pbuf;
		i = 0;
		*len = 0;
		while (1) {
		while (i + 2 <= limit) {
		tmp = *(p + 1);
		if (i + 2 + tmp > limit)
		break;

		if (*p == index) {
		len = (p + 1);
		*len = tmp;
		return p;
		}
		tmp = *(p + 1);

		p += (tmp + 2);
		i += (tmp + 2);
		if (i >= limit)
		break;
		}
		return NULL;
		}