wifi: mac80211: correctly decode TTLM with default link map

Linux kernel mirror (for testing) git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git

kernel os linux

TID-To-Link Mapping (TTLM) elements do not contain any link mapping
presence indicator if a default mapping is used and parsing needs to be
skipped.

Note that access points should not explicitly report an advertised TTLM
with a default mapping as that is the implied mapping if the element is
not included, this is even the case when switching back to the default
mapping. However, mac80211 would incorrectly parse the frame and would
also read one byte beyond the end of the element.

Reported-by: Ruikai Peng <ruikai@pwno.io>
Closes: https://lore.kernel.org/linux-wireless/CAFD3drMqc9YWvTCSHLyP89AOpBZsHdZ+pak6zVftYoZcUyF7gw@mail.gmail.com
Fixes: 702e80470a33 ("wifi: mac80211: support handling of advertised TID-to-link mapping")
Signed-off-by: Benjamin Berg <benjamin.berg@intel.com>
Link: https://patch.msgid.link/20260129113349.d6b96f12c732.I69212a50f0f70db185edd3abefb6f04d3cb3e5ff@changeid
Signed-off-by: Johannes Berg <johannes.berg@intel.com>

authored by

Benjamin Berg and committed by

Johannes Berg 2 months ago 1eab33aa 0a80e38d

+5 -3

1 changed file

expand all

net

mac80211

mlme.c

+5 -3

net/mac80211/mlme.c

··· 8 8 * Copyright 2007, Michael Wu <flamingice@sourmilk.net> 9 9 * Copyright 2013-2014 Intel Mobile Communications GmbH 10 10 * Copyright (C) 2015 - 2017 Intel Deutschland GmbH 11 - * Copyright (C) 2018 - 2025 Intel Corporation 11 + * Copyright (C) 2018 - 2026 Intel Corporation 12 12 */ 13 13 14 14 #include <linux/delay.h> ··· 6190 6190 return -EINVAL; 6191 6191 } 6192 6192 6193 - link_map_presence = *pos; 6194 - pos++; 6193 + if (!(control & IEEE80211_TTLM_CONTROL_DEF_LINK_MAP)) { 6194 + link_map_presence = *pos; 6195 + pos++; 6196 + } 6195 6197 6196 6198 if (control & IEEE80211_TTLM_CONTROL_SWITCH_TIME_PRESENT) { 6197 6199 ttlm_info->switch_time = get_unaligned_le16(pos);