wifi: nl80211: reject beacons with bad HE operation

The HE operation element not only needs to be longer than
the fixed part, but also have an appropriate size for the
variable part inside of it. Check this.

Reviewed-by: Miriam Rachel Korenblit <miriam.rachel.korenblit@intel.com>
Link: https://patch.msgid.link/20260415144514.6217f5974fb5.Iff7ff6bcb159584e756d0f825c65860cdd53c6ea@changeid
Signed-off-by: Johannes Berg <johannes.berg@intel.com>

diff --git a/net/wireless/nl80211.c b/net/wireless/nl80211.c
index a4d9b406850606e384190b44f13b476ea46ba067..9892cbc182b9cbd594f2a73e7ede61f3c517a370 100644 (file)
--- a/net/wireless/nl80211.c
+++ b/net/wireless/nl80211.c
@@ -6673,8 +6673,12 @@ static int nl80211_calculate_ap_params(struct cfg80211_ap_settings *params)
        if (cap && cap->datalen >= sizeof(*params->he_cap) + 1)
                params->he_cap = (void *)(cap->data + 1);
        cap = cfg80211_find_ext_elem(WLAN_EID_EXT_HE_OPERATION, ies, ies_len);
-       if (cap && cap->datalen >= sizeof(*params->he_oper) + 1)
+       if (cap && cap->datalen >= sizeof(*params->he_oper) + 1) {
                params->he_oper = (void *)(cap->data + 1);
+               /* takes extension ID into account */
+               if (cap->datalen < ieee80211_he_oper_size((void *)params->he_oper))
+                       return -EINVAL;
+       }
        cap = cfg80211_find_ext_elem(WLAN_EID_EXT_EHT_CAPABILITY, ies, ies_len);
        if (cap) {
                if (!cap->datalen)