From: Johannes Berg <johannes.berg@intel.com>
Date: Sun, 27 Aug 2023 11:05:19 +0000 (+0300)
Subject: wifi: cfg80211: fix off-by-one in element defrag
X-Git-Tag: v6.7-rc1~160^2~207^2~158
X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=43125539fc69c6aa63d34b516939431391bddeac;p=thirdparty%2Fkernel%2Flinux.git

wifi: cfg80211: fix off-by-one in element defrag

If a fragment is the last element, it's erroneously not
accepted. Fix that.

Fixes: f837a653a097 ("wifi: cfg80211: add element defragmentation helper")
Signed-off-by: Johannes Berg <johannes.berg@intel.com>
Signed-off-by: Gregory Greenman <gregory.greenman@intel.com>
Link: https://lore.kernel.org/r/20230827135854.adca9fbd3317.I6b2df45eb71513f3e48efd196ae3cddec362dc1c@changeid
Signed-off-by: Johannes Berg <johannes.berg@intel.com>
---

diff --git a/net/wireless/scan.c b/net/wireless/scan.c
index 0cf1ce7b69342..19516073c6d5c 100644
--- a/net/wireless/scan.c
+++ b/net/wireless/scan.c
@@ -2354,8 +2354,8 @@ ssize_t cfg80211_defragment_element(const struct element *elem, const u8 *ies,
 
 	/* elem might be invalid after the memmove */
 	next = (void *)(elem->data + elem->datalen);
-
 	elem_datalen = elem->datalen;
+
 	if (elem->id == WLAN_EID_EXTENSION) {
 		copied = elem->datalen - 1;
 		if (copied > data_len)
@@ -2376,7 +2376,7 @@ ssize_t cfg80211_defragment_element(const struct element *elem, const u8 *ies,
 
 	for (elem = next;
 	     elem->data < ies + ieslen &&
-		elem->data + elem->datalen < ies + ieslen;
+		elem->data + elem->datalen <= ies + ieslen;
 	     elem = next) {
 		/* elem might be invalid after the memmove */
 		next = (void *)(elem->data + elem->datalen);