Commit 502ddcc4 authored Nov 20, 2025 by Navaneeth K Committed by Greg Kroah-Hartman Nov 27, 2025

staging: rtl8723bs: fix out-of-bounds read in OnBeacon ESR IE parsing



The Extended Supported Rates (ESR) IE handling in OnBeacon accessed
*(p + 1 + ielen) and *(p + 2 + ielen) without verifying that these
offsets lie within the received frame buffer. A malformed beacon with
an ESR IE positioned at the end of the buffer could cause an
out-of-bounds read, potentially triggering a kernel panic.

Add a boundary check to ensure that the ESR IE body and the subsequent
bytes are within the limits of the frame before attempting to access
them.

This prevents OOB reads caused by malformed beacon frames.

Signed-off-by: Navaneeth K <knavaneeth786@gmail.com>
Cc: stable <stable@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

parent 6ef0e1c1

drivers/staging/rtl8723bs/core/rtw_mlme_ext.c

+5 −3

Original line number	Diff line number	Diff line
		@@ -574,10 +574,12 @@ unsigned int OnBeacon(struct adapter padapter, union recv_frame precv_frame)

		p = rtw_get_ie(pframe + sizeof(struct ieee80211_hdr_3addr) + _BEACON_IE_OFFSET_, WLAN_EID_EXT_SUPP_RATES, &ielen, precv_frame->u.hdr.len - sizeof(struct ieee80211_hdr_3addr) - _BEACON_IE_OFFSET_);
		if (p && ielen > 0) {
		if (p + 2 + ielen < pframe + len) {
		if (((p + 1 + ielen) == 0x2D) && ((p + 2 + ielen) != 0x2D))
		/* Invalid value 0x2D is detected in Extended Supported Rates (ESR) IE. Try to fix the IE length to avoid failed Beacon parsing. */
		*(p + 1) = ielen - 1;
		}
		}

		if (pmlmeext->sitesurvey_res.state == SCAN_PROCESS) {
		report_survey_event(padapter, precv_frame);