wifi: rtw89: phy: check length before parsing PHY status IE

Hardware might report PHY status IE with unexpected length, and parser
might access out of range. Check the length ahead.

Signed-off-by: Ping-Ke Shih <pkshih@realtek.com>
Link: https://patch.msgid.link/20260506131000.1706298-12-pkshih@realtek.com

diff --git a/drivers/net/wireless/realtek/rtw89/core.c b/drivers/net/wireless/realtek/rtw89/core.c
index 7fa479ce52e2bdb82d3e6d5d453d22231a62bb1e..7e1182a4994274c5f3045ece4ca325c25fcddeac 100644 (file)
--- a/drivers/net/wireless/realtek/rtw89/core.c
+++ b/drivers/net/wireless/realtek/rtw89/core.c
@@ -2276,7 +2276,6 @@ static int rtw89_core_rx_parse_phy_sts(struct rtw89_dev *rtwdev,
                const struct rtw89_phy_sts_iehdr *iehdr = pos;
 
                ie_len = rtw89_core_get_phy_status_ie_len(rtwdev, iehdr);
-               rtw89_core_process_phy_status_ie(rtwdev, iehdr, phy_ppdu);
                pos += ie_len;
                if (pos > end || ie_len == 0) {
                        /* clear pointers to prevent accessing out of IE */
@@ -2285,8 +2284,11 @@ static int rtw89_core_rx_parse_phy_sts(struct rtw89_dev *rtwdev,
 
                        rtw89_debug(rtwdev, RTW89_DBG_TXRX,
                                    "phy status parse failed\n");
+
                        return -EINVAL;
                }
+
+               rtw89_core_process_phy_status_ie(rtwdev, iehdr, phy_ppdu);
        }
 
        rtw89_chip_convert_rpl_to_rssi(rtwdev, phy_ppdu);