wifi: cfg80211: reject HTC bit for management frames

[ Upstream commit be06a8c7313943109fa870715356503c4c709cbc ]

Management frames sent by userspace should never have the
order/HTC bit set, reject that. It could also cause some
confusion with the length of the buffer and the header so
the validation might end up wrong.

Link: https://patch.msgid.link/20250718202307.97a0455f0f35.I1805355c7e331352df16611839bc8198c855a33f@changeid
Signed-off-by: Johannes Berg <johannes.berg@intel.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>

diff --git a/net/wireless/mlme.c b/net/wireless/mlme.c
index 05d44a4435189cf4c08fb2fa950859ff2d648279..fd88a32d43d6857ee6e7ffb5325f4a21dd79a25e 100644 (file)
--- a/net/wireless/mlme.c
+++ b/net/wireless/mlme.c
@@ -850,7 +850,8 @@ int cfg80211_mlme_mgmt_tx(struct cfg80211_registered_device *rdev,
 
        mgmt = (const struct ieee80211_mgmt *)params->buf;
 
-       if (!ieee80211_is_mgmt(mgmt->frame_control))
+       if (!ieee80211_is_mgmt(mgmt->frame_control) ||
+           ieee80211_has_order(mgmt->frame_control))
                return -EINVAL;
 
        stype = le16_to_cpu(mgmt->frame_control) & IEEE80211_FCTL_STYPE;