Re: [PATCH v7] staging: rtl8723bs: fix remote heap info disclosure and OOB reads

[Greg Kroah-Hartman]

On Sat, May 23, 2026 at 03:13:31PM +0200, luka.gejak@xxxxxxxxx wrote:
> From: Luka Gejak <luka.gejak@xxxxxxxxx>
> 
> When building an association request frame, the driver iterates over
> the ies received from the ap. In several places, the driver trusts the
> attacker-controlled pIE->length without validating that it meets the
> minimum expected size for the respective ie.
> 
> For WLAN_EID_HT_CAPABILITY, this causes an oob read of adjacent heap
> memory which is then transmitted over the air (remote heap information
> disclosure). For WLAN_EID_VENDOR_SPECIFIC, it causes two separate oob
> reads: one when checking the 4-byte oui, and another when copying the
> 14-byte wps ie.
> 
> Fix these issues by adding upper-bound checks at the start of the loop
> to ensure the ie fits within the buffer, and explicit lower-bound
> checks to return a failure if the length is insufficient. For
> HT_CAPABILITY, also clamp the length passed to rtw_set_ie() to the
> struct size.
> 
> Also fix three additional issues discovered during review:
> - Missing free of pmgntframe and its xmitbuf before jumping to exit
>   in the WLAN_EID_VENDOR_SPECIFIC lower-bound checks.
> - In is_ap_in_tkip(), add missing lower-bound checks for the RSN and
>   vendor-specific IE data accesses (pre-existing bug).
> - Move rtw_buf_update() before dump_mgntframe() to avoid a potential
>   use-after-free of pwlanhdr, which points into the mgmt frame buffer
>   (pre-existing bug).

When you say "also" that implies you need to break this patch up into
smaller pieces, right?  Please do so.

> 
> Fixes: 554c0a3abf21 ("staging: Add rtl8723bs sdio wifi driver")
> Cc: stable@xxxxxxxxxxxxxxx
> Signed-off-by: Luka Gejak <luka.gejak@xxxxxxxxx>
> ---
> Changes in v7:
>  - Address new sashiko comments.
> 

That does not say _what_ you did, only that you did _something_.  Please
be more specific.

thanks,

greg k-h