staging: rtl8723bs: fix out-of-bounds read in rtw_get_ie() parser - kernel/linux.git

diff options

author	Navaneeth K <knavaneeth786@gmail.com>	2025-11-20 19:23:52 +0300
committer	Greg Kroah-Hartman <gregkh@linuxfoundation.org>	2025-12-12 20:40:23 +0300
commit	df191dd9f4c7249d98ada55634fa8ac19089b8cb (patch)
tree	1cfbf52ec062593eb7eb27d74c09339532d8d28a /include/linux/overflow.h
parent	573b07d2e3d473ee7eb625ef87519922cf01168d (diff)
download	linux-df191dd9f4c7249d98ada55634fa8ac19089b8cb.tar.xz

staging: rtl8723bs: fix out-of-bounds read in rtw_get_ie() parser

commit 154828bf9559b9c8421fc2f0d7f7f76b3683aaed upstream. The Information Element (IE) parser rtw_get_ie() trusted the length byte of each IE without validating that the IE body (len bytes after the 2-byte header) fits inside the remaining frame buffer. A malformed frame can advertise an IE length larger than the available data, causing the parser to increment its pointer beyond the buffer end. This results in out-of-bounds reads or, depending on the pattern, an infinite loop. Fix by validating that (offset + 2 + len) does not exceed the limit before accepting the IE or advancing to the next element. This prevents OOB reads and ensures the parser terminates safely on malformed frames. Signed-off-by: Navaneeth K <knavaneeth786@gmail.com> Cc: stable <stable@kernel.org> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

Diffstat (limited to 'include/linux/overflow.h')

0 files changed, 0 insertions, 0 deletions


context:
space:
mode: