From: Johannes Berg <johannes.berg@intel.com>
Date: Tue, 15 Aug 2023 15:51:05 +0000 (+0200)
Subject: wifi: mac80211: check S1G action frame size
X-Git-Tag: v6.1.55~109
X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=7ae7a1378a119780c8c17a6b5fc03011c3bb7029;p=thirdparty%2Fkernel%2Fstable.git

wifi: mac80211: check S1G action frame size

[ Upstream commit 19e4a47ee74718a22e963e8a647c8c3bfe8bb05c ]

Before checking the action code, check that it even
exists in the frame.

Reported-by: syzbot+be9c824e6f269d608288@syzkaller.appspotmail.com
Signed-off-by: Johannes Berg <johannes.berg@intel.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---

diff --git a/net/mac80211/rx.c b/net/mac80211/rx.c
index 55dc0610e8633..c4c80037df91d 100644
--- a/net/mac80211/rx.c
+++ b/net/mac80211/rx.c
@@ -3625,6 +3625,10 @@ ieee80211_rx_h_action(struct ieee80211_rx_data *rx)
 			break;
 		goto queue;
 	case WLAN_CATEGORY_S1G:
+		if (len < offsetofend(typeof(*mgmt),
+				      u.action.u.s1g.action_code))
+			break;
+
 		switch (mgmt->u.action.u.s1g.action_code) {
 		case WLAN_S1G_TWT_SETUP:
 		case WLAN_S1G_TWT_TEARDOWN: