]> git.ipfire.org Git - thirdparty/kernel/stable.git/commitdiff
projects / thirdparty / kernel / stable.git / commitdiff
? search:
summary | shortlog | log | commit | commitdiff | tree
raw | patch | inline | side by side (parent: fad7edb)
wifi: cfg80211: validate HE operation element parsing
authorJohannes Berg <johannes.berg@intel.com>
Thu, 23 May 2024 10:05:33 +0000 (12:05 +0200)
committerGreg Kroah-Hartman <gregkh@linuxfoundation.org>
Fri, 21 Jun 2024 12:40:31 +0000 (14:40 +0200)
commit 4dc3a3893dae5a7f73e5809273aca0f1f3548d55 upstream.

Validate that the HE operation element has the correct
length before parsing it.

Cc: stable@vger.kernel.org
Fixes: 645f3d85129d ("wifi: cfg80211: handle UHB AP and STA power type")
Reviewed-by: Miriam Rachel Korenblit <miriam.rachel.korenblit@intel.com>
Link: https://msgid.link/20240523120533.677025eb4a92.I44c091029ef113c294e8fe8b9bf871bf5dbeeb27@changeid
Signed-off-by: Johannes Berg <johannes.berg@intel.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
net/wireless/scan.c patch | blob | blame | history

diff --git a/net/wireless/scan.c b/net/wireless/scan.c
index 9b0dbcd6cf79a9c4082ec56f100f48b6a6d61fcd..ecea8c08e2701e060daad7ac1b8b21d888706acb 100644 (file)
--- a/net/wireless/scan.c
+++ b/net/wireless/scan.c
@@ -2128,7 +2128,8 @@ static bool cfg80211_6ghz_power_type_valid(const u8 *ie, size_t ielen,
        struct ieee80211_he_operation *he_oper;
 
        tmp = cfg80211_find_ext_elem(WLAN_EID_EXT_HE_OPERATION, ie, ielen);
-       if (tmp && tmp->datalen >= sizeof(*he_oper) + 1) {
+       if (tmp && tmp->datalen >= sizeof(*he_oper) + 1 &&
+           tmp->datalen >= ieee80211_he_oper_size(tmp->data + 1)) {
                const struct ieee80211_he_6ghz_oper *he_6ghz_oper;
 
                he_oper = (void *)&tmp->data[1];
Mirror https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git