wifi: iwlwifi: mld: check the validity of noa_len

Validate iwl_probe_resp_data_notif::noa_attr::len_low since we are using
its value to determine the noa_len, which is later used for the NoA
attribute.

Reviewed-by: Emmanuel Grumbach <emmanuel.grumbach@intel.com>
Signed-off-by: Miri Korenblit <miriam.rachel.korenblit@intel.com>
Link: https://patch.msgid.link/20251019114304.b127a2b57e8c.I7ccaf118d236fb39da5da351b95ad9b37b825bc2@changeid

diff --git a/drivers/net/wireless/intel/iwlwifi/mld/iface.c b/drivers/net/wireless/intel/iwlwifi/mld/iface.c
index ed379825a923610abaccbaeca03ad00edb6abb27..a5ececfc13e449e2ed54cd27aab2661c0a47f056 100644 (file)
--- a/drivers/net/wireless/intel/iwlwifi/mld/iface.c
+++ b/drivers/net/wireless/intel/iwlwifi/mld/iface.c
@@ -528,6 +528,19 @@ void iwl_mld_handle_probe_resp_data_notif(struct iwl_mld *mld,
 
        mld_link = &iwl_mld_vif_from_mac80211(vif)->deflink;
 
+       /* len_low should be 2 + n*13 (where n is the number of descriptors.
+        * 13 is the size of a NoA descriptor). We can have either one or two
+        * descriptors.
+        */
+       if (IWL_FW_CHECK(mld, notif->noa_active &&
+                        notif->noa_attr.len_low != 2 +
+                        sizeof(struct ieee80211_p2p_noa_desc) &&
+                        notif->noa_attr.len_low != 2 +
+                        sizeof(struct ieee80211_p2p_noa_desc) * 2,
+                        "Invalid noa_attr.len_low (%d)\n",
+                        notif->noa_attr.len_low))
+               return;
+
        new_data = kzalloc(sizeof(*new_data), GFP_KERNEL);
        if (!new_data)
                return;