From 7efb4fe083e0b5a5f86447598dd0ce54773c33b3 Mon Sep 17 00:00:00 2001
From: Roy Marples <roy@marples.name>
Date: Sat, 20 Jun 2026 12:16:51 +0100
Subject: [PATCH] linux: Ensure NLA data boundaries are valid

Reported by NVIDIA Project Vanessa
---
 src/if-linux.c | 5 +++--
 1 file changed, 3 insertions(+), 2 deletions(-)

diff --git a/src/if-linux.c b/src/if-linux.c
index 0359d1b2..41893815 100644
--- a/src/if-linux.c
+++ b/src/if-linux.c
@@ -1517,7 +1517,7 @@ _if_getssid_nl80211(__unused struct dhcpcd_ctx *ctx, void *arg,
 	ie = NLA_DATA(bss[NL80211_BSS_INFORMATION_ELEMENTS]);
 	ie_len = (int)NLA_LEN(bss[NL80211_BSS_INFORMATION_ELEMENTS]);
 	/* ie[0] is type, ie[1] is lenth, ie[2..] is data */
-	while (ie_len >= 2 && ie_len >= ie[1]) {
+	while (ie_len >= 2 && ie_len >= ie[1] + 2) {
 		if (ie[0] == 0) {
 			/* SSID */
 			if (ie[1] > IF_SSIDLEN) {
@@ -1525,7 +1525,8 @@ _if_getssid_nl80211(__unused struct dhcpcd_ctx *ctx, void *arg,
 				return -1;
 			}
 			ifp->ssid_len = ie[1];
-			memcpy(ifp->ssid, ie + 2, ifp->ssid_len);
+			if (ifp->ssid_len != 0)
+				memcpy(ifp->ssid, ie + 2, ifp->ssid_len);
 			return (int)ifp->ssid_len;
 		}
 		ie_len -= ie[1] + 2;
-- 
2.47.3