staging: rtl8723bs: fix out-of-bounds read in rtw_get_ie() parser
3Vexday Risk Score
Sin señal de explotación. Ningún artefacto público de explotación conocido hasta ahora.
ssvc Trackepss 0.2%
probabilidad de explotación
0.2%top 94% de las CVE
explotación observada
noninguna fuente lo reporta
In the Linux kernel, the following vulnerability has been resolved:
staging: rtl8723bs: fix out-of-bounds read in rtw_get_ie() parser
The Information Element (IE) parser rtw_get_ie() trusted the length
byte of each IE without validating that the IE body (len bytes after
the 2-byte header) fits inside the remaining frame buffer. A malformed
frame can advertise an IE length larger than the available data, causing
the parser to increment its pointer beyond the buffer end. This results
in out-of-bounds reads or, depending on the pattern, an infinite loop.
Fix by validating that (offset + 2 + len) does not exceed the limit
before accepting the IE or advancing to the next element.
This prevents OOB reads and ensures the parser terminates safely on
malformed frames.
Productos afectados
Linux · LinuxReferencias
https://git.kernel.org/stable/c/154828bf9559b9c8421fc2f0d7f7f76b3683aaedhttps://git.kernel.org/stable/c/30c558447e90935f0de61be181bbcedf75952e00https://git.kernel.org/stable/c/9829c6e1b2e4180fd18315252ad6faeab6128076https://git.kernel.org/stable/c/a54e2b2db1b7de2e008b4f62eec35aaefcc663c5https://git.kernel.org/stable/c/b977eb31802817f4a37da95bf16bfdaa1eeb5fc2https://git.kernel.org/stable/c/c0d93d69e1472ba75b78898979b90a98ba2a2501https://git.kernel.org/stable/c/df191dd9f4c7249d98ada55634fa8ac19089b8cb