wifi: rtl8xxxu: validate action frame size before using in rtl8xxxu_dump_action()

The rtl8xxxu_dump_action() is to print action frames when turning on
debug mask. Validate the skb->len size to prevent potential broken in
monitor mode injection.

Compile tested only.

Signed-off-by: Ping-Ke Shih <pkshih@realtek.com>
Link: https://patch.msgid.link/20260414062229.21047-2-pkshih@realtek.com

diff --git a/drivers/net/wireless/realtek/rtl8xxxu/core.c b/drivers/net/wireless/realtek/rtl8xxxu/core.c
index f20fade0c0990d03ee0b6db3e181234e25a6bb0e..508137e4a87aa1f191778b216c3fabd523c70a74 100644 (file)
--- a/drivers/net/wireless/realtek/rtl8xxxu/core.c
+++ b/drivers/net/wireless/realtek/rtl8xxxu/core.c
@@ -5126,7 +5126,7 @@ static void rtl8xxxu_tx_complete(struct urb *urb)
 }
 
 static void rtl8xxxu_dump_action(struct device *dev,
-                                struct ieee80211_hdr *hdr)
+                                struct ieee80211_hdr *hdr, unsigned int skb_len)
 {
        struct ieee80211_mgmt *mgmt = (struct ieee80211_mgmt *)hdr;
        u16 cap, timeout;
@@ -5134,8 +5134,14 @@ static void rtl8xxxu_dump_action(struct device *dev,
        if (!(rtl8xxxu_debug & RTL8XXXU_DEBUG_ACTION))
                return;
 
+       if (skb_len < IEEE80211_MIN_ACTION_SIZE(action_code))
+               return;
+
        switch (mgmt->u.action.action_code) {
        case WLAN_ACTION_ADDBA_RESP:
+               if (skb_len < IEEE80211_MIN_ACTION_SIZE(addba_resp))
+                       break;
+
                cap = le16_to_cpu(mgmt->u.action.addba_resp.capab);
                timeout = le16_to_cpu(mgmt->u.action.addba_resp.timeout);
                dev_info(dev, "WLAN_ACTION_ADDBA_RESP: "
@@ -5148,6 +5154,9 @@ static void rtl8xxxu_dump_action(struct device *dev,
                         le16_to_cpu(mgmt->u.action.addba_resp.status));
                break;
        case WLAN_ACTION_ADDBA_REQ:
+               if (skb_len < IEEE80211_MIN_ACTION_SIZE(addba_req))
+                       break;
+
                cap = le16_to_cpu(mgmt->u.action.addba_req.capab);
                timeout = le16_to_cpu(mgmt->u.action.addba_req.timeout);
                dev_info(dev, "WLAN_ACTION_ADDBA_REQ: "
@@ -5437,7 +5446,7 @@ static void rtl8xxxu_tx(struct ieee80211_hw *hw,
        }
 
        if (ieee80211_is_action(hdr->frame_control))
-               rtl8xxxu_dump_action(dev, hdr);
+               rtl8xxxu_dump_action(dev, hdr, skb->len);
 
        tx_info->rate_driver_data[0] = hw;