From: Kees Cook <kees@kernel.org>
Date: Mon, 21 Jul 2025 18:31:29 +0000 (-0700)
Subject: wifi: nl80211: Set num_sub_specs before looping through sub_specs
X-Git-Tag: v6.12.42~242
X-Git-Url: http://git.ipfire.org/gitweb.cgi?a=commitdiff_plain;h=24bf1d10a04a6f740d101a55797baccf16cf6610;p=thirdparty%2Fkernel%2Fstable.git

wifi: nl80211: Set num_sub_specs before looping through sub_specs

[ Upstream commit 2ed9a9fc9976262109d04f1a3c75c46de8ce4f22 ]

The processing of the struct cfg80211_sar_specs::sub_specs flexible
array requires its counter, num_sub_specs, to be assigned before the
loop in nl80211_set_sar_specs(). Leave the final assignment after the
loop in place in case fewer ended up in the array.

Fixes: aa4ec06c455d ("wifi: cfg80211: use __counted_by where appropriate")
Signed-off-by: Kees Cook <kees@kernel.org>
Reviewed-by: Gustavo A. R. Silva <gustavoars@kernel.org>
Link: https://patch.msgid.link/20250721183125.work.183-kees@kernel.org
Signed-off-by: Johannes Berg <johannes.berg@intel.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---

diff --git a/net/wireless/nl80211.c b/net/wireless/nl80211.c
index 4eb44821c70d3..ec8265f2d5680 100644
--- a/net/wireless/nl80211.c
+++ b/net/wireless/nl80211.c
@@ -16789,6 +16789,7 @@ static int nl80211_set_sar_specs(struct sk_buff *skb, struct genl_info *info)
 	if (!sar_spec)
 		return -ENOMEM;
 
+	sar_spec->num_sub_specs = specs;
 	sar_spec->type = type;
 	specs = 0;
 	nla_for_each_nested(spec_list, tb[NL80211_SAR_ATTR_SPECS], rem) {