From: Johannes Berg <johannes.berg@intel.com>
Date: Fri, 18 Jul 2025 18:23:06 +0000 (+0200)
Subject: wifi: cfg80211: reject HTC bit for management frames
X-Git-Tag: v6.16.2~350
X-Git-Url: http://git.ipfire.org/gitweb.cgi?a=commitdiff_plain;h=c5a5a8701055a88f718e7e83f02ba9ded284ed37;p=thirdparty%2Fkernel%2Fstable.git

wifi: cfg80211: reject HTC bit for management frames

[ Upstream commit be06a8c7313943109fa870715356503c4c709cbc ]

Management frames sent by userspace should never have the
order/HTC bit set, reject that. It could also cause some
confusion with the length of the buffer and the header so
the validation might end up wrong.

Link: https://patch.msgid.link/20250718202307.97a0455f0f35.I1805355c7e331352df16611839bc8198c855a33f@changeid
Signed-off-by: Johannes Berg <johannes.berg@intel.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---

diff --git a/net/wireless/mlme.c b/net/wireless/mlme.c
index 05d44a4435189..fd88a32d43d68 100644
--- a/net/wireless/mlme.c
+++ b/net/wireless/mlme.c
@@ -850,7 +850,8 @@ int cfg80211_mlme_mgmt_tx(struct cfg80211_registered_device *rdev,
 
 	mgmt = (const struct ieee80211_mgmt *)params->buf;
 
-	if (!ieee80211_is_mgmt(mgmt->frame_control))
+	if (!ieee80211_is_mgmt(mgmt->frame_control) ||
+	    ieee80211_has_order(mgmt->frame_control))
 		return -EINVAL;
 
 	stype = le16_to_cpu(mgmt->frame_control) & IEEE80211_FCTL_STYPE;