From: Henry Yen <henryyen@google.com>
Date: Thu, 16 Oct 2025 16:11:03 +0000 (+0000)
Subject: Check HE and EHT element minimum lengths in the parser
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=b908467f46aead3ba1d995581f751309ca7bb75b;p=thirdparty%2Fhostap.git

Check HE and EHT element minimum lengths in the parser

Ignore invalid elements that do not contain enough payload early in the
process.

Signed-off-by: sunilravi <sunilravi@google.com>
Signed-off-by: Henry Yen <henryyen@google.com>
---

diff --git a/src/common/ieee802_11_common.c b/src/common/ieee802_11_common.c
index a0b51c014..b77a6b16a 100644
--- a/src/common/ieee802_11_common.c
+++ b/src/common/ieee802_11_common.c
@@ -378,10 +378,14 @@ static int ieee802_11_parse_extension(const u8 *pos, size_t elen,
 		elems->password_id_len = elen;
 		break;
 	case WLAN_EID_EXT_HE_CAPABILITIES:
+		if (elen < HE_CAPABILITIES_ELEM_MIN_LEN)
+			break;
 		elems->he_capabilities = pos;
 		elems->he_capabilities_len = elen;
 		break;
 	case WLAN_EID_EXT_HE_OPERATION:
+		if (elen < HE_OPERATION_ELEM_MIN_LEN)
+			break;
 		elems->he_operation = pos;
 		elems->he_operation_len = elen;
 		break;
@@ -403,10 +407,14 @@ static int ieee802_11_parse_extension(const u8 *pos, size_t elen,
 		elems->pasn_params_len = elen;
 		break;
 	case WLAN_EID_EXT_EHT_CAPABILITIES:
+		if (elen < EHT_CAPABILITIES_ELEM_MIN_LEN)
+			break;
 		elems->eht_capabilities = pos;
 		elems->eht_capabilities_len = elen;
 		break;
 	case WLAN_EID_EXT_EHT_OPERATION:
+		if (elen < EHT_OPERATION_ELEM_MIN_LEN)
+			break;
 		elems->eht_operation = pos;
 		elems->eht_operation_len = elen;
 		break;
diff --git a/src/common/ieee802_11_defs.h b/src/common/ieee802_11_defs.h
index 28032bbc8..46373b3c2 100644
--- a/src/common/ieee802_11_defs.h
+++ b/src/common/ieee802_11_defs.h
@@ -2535,6 +2535,8 @@ struct ieee80211_spatial_reuse {
 	u8 params[19];
 } STRUCT_PACKED;
 
+#define HE_CAPABILITIES_ELEM_MIN_LEN		21
+
 /* HE Capabilities Information defines */
 
 #define HE_MACCAP_TWT_RESPONDER			((u8) BIT(2))
@@ -2586,6 +2588,9 @@ struct ieee80211_spatial_reuse {
 #define HE_OPERATION_BSS_COLOR_OFFSET		24
 #define HE_OPERATION_BSS_COLOR_MAX		64
 
+/* HE operation fields length */
+#define HE_OPERATION_ELEM_MIN_LEN				6
+
 /**
  * enum he_reg_info_6ghz_ap_type - Allowed Access Point types for 6 GHz Band
  *
@@ -2690,6 +2695,7 @@ struct ieee80211_he_mu_edca_parameter_set {
 #define RNR_TBTT_INFO_MLD_PARAM2_LINK_DISABLED  0x20
 
 /* IEEE P802.11be/D2.3, 9.4.2.311 - EHT Operation element */
+#define EHT_OPERATION_ELEM_MIN_LEN                       1
 
 /* Figure 9-1002b: EHT Operation Parameters field subfields */
 #define EHT_OPER_INFO_PRESENT                          BIT(0)
@@ -2724,6 +2730,7 @@ struct ieee80211_eht_operation {
 #define IEEE80211_EHT_OP_MIN_LEN (1 + 4)
 
 /* IEEE P802.11be/D1.5, 9.4.2.313 - EHT Capabilities element */
+#define EHT_CAPABILITIES_ELEM_MIN_LEN             11
 
 /* Figure 9-1002af: EHT MAC Capabilities Information field */
 #define EHT_MACCAP_EPCS_PRIO			BIT(0)