HE: Fix invalid length checking for HE Capability element

Do not use the first octet of the PPE Thresholds field without
explicitly confirming that that octet was included in the element.
Furthermore, allow the received element to have additional octets in the
end since IEEE Std 802.11ax-2021 defines this to be an extensible
element and new fields could be added to the end of it in the future.

Fixes: 0497e4148197 ("HE: Fix HE Capabilities element size")
Signed-off-by: Jouni Malinen <quic_jouni@quicinc.com>

diff --git a/src/ap/ieee802_11_he.c b/src/ap/ieee802_11_he.c
index 6e368ff33770c3d41dcd62c97a8835e628a3e34b..5042286c20f5de2e38707749cbfa00cd56958018 100644 (file)
--- a/src/ap/ieee802_11_he.c
+++ b/src/ap/ieee802_11_he.c
@@ -66,6 +66,7 @@ static int ieee80211_invalid_he_cap_size(const u8 *buf, size_t len)
 {
        struct ieee80211_he_capabilities *cap;
        size_t cap_len;
+       u8 ppe_thres_hdr;
 
        cap = (struct ieee80211_he_capabilities *) buf;
        cap_len = sizeof(*cap) - sizeof(cap->optional);
@@ -76,9 +77,11 @@ static int ieee80211_invalid_he_cap_size(const u8 *buf, size_t len)
        if (len < cap_len)
                return 1;
 
-       cap_len += ieee80211_he_ppet_size(buf[cap_len], cap->he_phy_capab_info);
+       ppe_thres_hdr = len > cap_len ? buf[cap_len] : 0xff;
+       cap_len += ieee80211_he_ppet_size(ppe_thres_hdr,
+                                         cap->he_phy_capab_info);
 
-       return len != cap_len;
+       return len < cap_len;
 }