wifi: mac80211: Write cnt before copying in ieee80211_copy_rnr_beacon()

While I caught the need for setting cnt early in nl80211_parse_rnr_elems()
in the original annotation of struct cfg80211_rnr_elems with __counted_by,
I missed a similar pattern in ieee80211_copy_rnr_beacon(). Fix this by
moving the cnt assignment to before the loop.

Fixes: 7b6d7087031b ("wifi: cfg80211: Annotate struct cfg80211_rnr_elems with __counted_by")
Signed-off-by: Kees Cook <kees@kernel.org>
Reviewed-by: Gustavo A. R. Silva <gustavoars@kernel.org>
Link: https://patch.msgid.link/20250721182521.work.540-kees@kernel.org
Signed-off-by: Johannes Berg <johannes.berg@intel.com>

diff --git a/net/mac80211/cfg.c b/net/mac80211/cfg.c
index 4f20d57ab913aa33d2d47470830f5e2f3bd11708..2ed07fa121ab73d3afd2f841eb53e6cdc0be91a3 100644 (file)
--- a/net/mac80211/cfg.c
+++ b/net/mac80211/cfg.c
@@ -1176,13 +1176,13 @@ ieee80211_copy_rnr_beacon(u8 *pos, struct cfg80211_rnr_elems *dst,
 {
        int i, offset = 0;
 
+       dst->cnt = src->cnt;
        for (i = 0; i < src->cnt; i++) {
                memcpy(pos + offset, src->elem[i].data, src->elem[i].len);
                dst->elem[i].len = src->elem[i].len;
                dst->elem[i].data = pos + offset;
                offset += dst->elem[i].len;
        }
-       dst->cnt = src->cnt;
 
        return offset;
 }