]> git.ipfire.org Git - thirdparty/kernel/linux.git/commit
wifi: cfg80211: validate assoc response length before status and IE access
authorZhao Li <enderaoelyther@gmail.com>
Tue, 7 Jul 2026 02:53:35 +0000 (10:53 +0800)
committerJohannes Berg <johannes.berg@intel.com>
Tue, 7 Jul 2026 07:31:38 +0000 (09:31 +0200)
commitb760113aeca2e9362d56bf9e9263373ffe6c8eb3
tree1fabf6d178edf17b1e54ad60468b77aeae1f9363
parentd5e4586546974179feca305a94e07fac3e9727fe
wifi: cfg80211: validate assoc response length before status and IE access

cfg80211_rx_assoc_resp() initialises the status and response-IE fields
of cfg80211_connect_resp_params from the management frame before
proving that the frame is long enough for those offsets. S1G and
regular association responses also have different IE offsets, but the
S1G path only patched resp_ie after the unsafe initialiser had already
run.

Defer resp_ie, resp_ie_len, and status to after the link-iteration
loop. Use a bool to remember whether the frame is S1G, then validate
the appropriate minimum length and set all three fields in a single
if/else block. Funnel short-frame and SME-reject cleanup through a
shared free_bss label for the abandon paths.

Assisted-by: Codex:gpt-5.5
Assisted-by: Claude:claude-opus-4.8
Signed-off-by: Zhao Li <enderaoelyther@gmail.com>
Link: https://patch.msgid.link/20260707025336.22557-2-enderaoelyther@gmail.com
Signed-off-by: Johannes Berg <johannes.berg@intel.com>
net/wireless/mlme.c