]> git.ipfire.org Git - thirdparty/kernel/linux.git/commit
projects / thirdparty / kernel / linux.git / commit
? search:
summary | shortlog | log | commit | commitdiff | tree
(parent: e1e83fe) | patch
wifi: mac80211: fix MLE defragmentation
authorJohannes Berg <johannes.berg@intel.com>
Fri, 8 May 2026 07:10:31 +0000 (09:10 +0200)
committerJohannes Berg <johannes.berg@intel.com>
Wed, 20 May 2026 09:19:52 +0000 (11:19 +0200)
commita74e893f30db64cdce0fc7a96d3baa417bcd55f5
tree5148406a0ecfb04c543d6a3fd4397c55fb6dad2atree | snapshot
parente1e83feb8eae82cc9cc676db4c70f52fedc4735dcommit | diff
wifi: mac80211: fix MLE defragmentation

If either reconf or EPCS multi-link element (MLE) is contained in
a non-transmitted profile, the defragmentation routine is called
with a pointer to the defragmented copy, but the original elements.

This is incorrect for two reasons:
 - if the original defragmentation was needed, it will not find the
   correct data
 - if the original frame is at a higher address, the parsing will
   potentially overrun the heap data (though given the layout of
   the buffers, only into the new defragmentation buffer, and then
   it has to stop and fail once that's filled with copied data.

Fix it by tracking the container along with the pointer and in
doing so also unify the two almost identical defragmentation
routines.

Fixes: 4d70e9c5488d ("wifi: mac80211: defragment reconfiguration MLE when parsing")
Reviewed-by: Miriam Rachel Korenblit <miriam.rachel.korenblit@intel.com>
Reviewed-by: Ilan Peer <ilan.peer@intel.com>
Link: https://patch.msgid.link/20260508091031.8a6c34613178.I4de16ebbce2d27f2f8f98fc49949c7a376c2fe8d@changeid
Signed-off-by: Johannes Berg <johannes.berg@intel.com>
net/mac80211/parse.c diff | blob | blame | history
A mirror of Linus' kernel repository