Merge tag 'wireless-2026-01-29' of https://git.kernel.org/pub/scm/linux/kernel/git/wireless/wireless

Linux kernel mirror (for testing) git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git

kernel os linux

Johannes Berg says:

====================
Just one fix, for a parsing error in mac80211 that might
result in a one byte out-of-bounds read.

* tag 'wireless-2026-01-29' of https://git.kernel.org/pub/scm/linux/kernel/git/wireless/wireless:
wifi: mac80211: correctly decode TTLM with default link map
====================

Link: https://patch.msgid.link/20260129110403.178036-3-johannes@sipsolutions.net
Signed-off-by: Paolo Abeni <pabeni@redhat.com>

Paolo Abeni 2 months ago 08582067 df8b9be3

+5 -3

1 changed file

expand all

net

mac80211

mlme.c

+5 -3

net/mac80211/mlme.c

··· 8 8 * Copyright 2007, Michael Wu <flamingice@sourmilk.net> 9 9 * Copyright 2013-2014 Intel Mobile Communications GmbH 10 10 * Copyright (C) 2015 - 2017 Intel Deutschland GmbH 11 - * Copyright (C) 2018 - 2025 Intel Corporation 11 + * Copyright (C) 2018 - 2026 Intel Corporation 12 12 */ 13 13 14 14 #include <linux/delay.h> ··· 6190 6190 return -EINVAL; 6191 6191 } 6192 6192 6193 - link_map_presence = *pos; 6194 - pos++; 6193 + if (!(control & IEEE80211_TTLM_CONTROL_DEF_LINK_MAP)) { 6194 + link_map_presence = *pos; 6195 + pos++; 6196 + } 6195 6197 6196 6198 if (control & IEEE80211_TTLM_CONTROL_SWITCH_TIME_PRESENT) { 6197 6199 ttlm_info->switch_time = get_unaligned_le16(pos);