From: Johannes Berg Date: Tue, 28 Apr 2026 09:25:41 +0000 (+0200) Subject: wifi: mac80211: don't parse full UHR operation from beacons X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=0a621df46d5544f1b4f1c0572f07e1286b68c66a;p=thirdparty%2Fkernel%2Flinux.git wifi: mac80211: don't parse full UHR operation from beacons Currently, as noted in the comment, ieee80211_uhr_oper_size_ok() will reject the element coming from the beacon, since it's too short. However, this is incorrect in general, since the element is extensible, and such extensions could be present in a beacon, and then it might pass muster anyway. Using the frame type we now have in the element parse result, check that it's not coming from a beacon. The size was already checked (according to frame type) during parsing. Link: https://patch.msgid.link/20260428112708.41a7aacdda0c.I0d83c8c9cbee41fd2599480cad815b94867aa1f8@changeid Signed-off-by: Johannes Berg --- diff --git a/net/mac80211/mlme.c b/net/mac80211/mlme.c index a818568d34b90..b09c82082d30f 100644 --- a/net/mac80211/mlme.c +++ b/net/mac80211/mlme.c @@ -392,14 +392,7 @@ check_uhr: if (conn->mode < IEEE80211_CONN_MODE_UHR || !uhr_oper) return IEEE80211_CONN_MODE_EHT; - /* - * In beacons we don't have all the data - but we know the size was OK, - * so if the size is valid as a non-beacon case, we have more data and - * can validate the NPCA parameters. - */ - if (ieee80211_uhr_oper_size_ok((const void *)uhr_oper, - elems->uhr_operation_len, - false)) { + if (elems->frame_type != (IEEE80211_FTYPE_MGMT | IEEE80211_STYPE_BEACON)) { struct cfg80211_chan_def npca_chandef = *chandef; const struct ieee80211_sta_uhr_cap *uhr_cap; const struct ieee80211_uhr_npca_info *npca;