wifi: mac80211: don't parse full UHR operation from beacons

Currently, as noted in the comment, ieee80211_uhr_oper_size_ok()
will reject the element coming from the beacon, since it's too
short. However, this is incorrect in general, since the element
is extensible, and such extensions could be present in a beacon,
and then it might pass muster anyway.

Using the frame type we now have in the element parse result,
check that it's not coming from a beacon. The size was already
checked (according to frame type) during parsing.

Link: https://patch.msgid.link/20260428112708.41a7aacdda0c.I0d83c8c9cbee41fd2599480cad815b94867aa1f8@changeid
Signed-off-by: Johannes Berg <johannes.berg@intel.com>

diff --git a/net/mac80211/mlme.c b/net/mac80211/mlme.c
index a818568d34b90f169d80d3c1908099d8910037a2..b09c82082d30fd7a8207e109e50ad712ac557cd6 100644 (file)
--- a/net/mac80211/mlme.c
+++ b/net/mac80211/mlme.c
@@ -392,14 +392,7 @@ check_uhr:
        if (conn->mode < IEEE80211_CONN_MODE_UHR || !uhr_oper)
                return IEEE80211_CONN_MODE_EHT;
 
-       /*
-        * In beacons we don't have all the data - but we know the size was OK,
-        * so if the size is valid as a non-beacon case, we have more data and
-        * can validate the NPCA parameters.
-        */
-       if (ieee80211_uhr_oper_size_ok((const void *)uhr_oper,
-                                      elems->uhr_operation_len,
-                                      false)) {
+       if (elems->frame_type != (IEEE80211_FTYPE_MGMT | IEEE80211_STYPE_BEACON)) {
                struct cfg80211_chan_def npca_chandef = *chandef;
                const struct ieee80211_sta_uhr_cap *uhr_cap;
                const struct ieee80211_uhr_npca_info *npca;