A previous commit changed mac80211 to no longer make wrong
calls to cfg80211_defragment_element() with the element
pointing outside of the buffer. Additionally, harden this
function itself against that and always return -EINVAL in
case the element isn't inside the source buffer.
Reviewed-by: Miriam Rachel Korenblit <miriam.rachel.korenblit@intel.com>
Reviewed-by: Ilan Peer <ilan.peer@intel.com>
Link: https://patch.msgid.link/20260529102644.198945754054.I5ae8fdebf9008abc6e15d0b0f10c3a7b73d02eab@changeid
Signed-off-by: Johannes Berg <johannes.berg@intel.com>
* Copyright 2008 Johannes Berg <johannes@sipsolutions.net>
* Copyright 2013-2014 Intel Mobile Communications GmbH
* Copyright 2016 Intel Deutschland GmbH
- * Copyright (C) 2018-2025 Intel Corporation
+ * Copyright (C) 2018-2026 Intel Corporation
*/
#include <linux/kernel.h>
#include <linux/slab.h>
ssize_t copied;
u8 elem_datalen;
- if (!elem)
+ if (!elem || (const u8 *)elem < ies ||
+ (const u8 *)elem + sizeof(*elem) > ies + ieslen ||
+ (const u8 *)elem + sizeof(*elem) + elem->datalen > ies + ieslen)
return -EINVAL;
/* elem might be invalid after the memmove */
projects / thirdparty / linux.git / commitdiff
