wifi: cfg80211: validate HE operation element parsing

Linux kernel mirror (for testing) git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git

kernel os linux

Validate that the HE operation element has the correct
length before parsing it.

Cc: stable@vger.kernel.org
Fixes: 645f3d85129d ("wifi: cfg80211: handle UHB AP and STA power type")
Reviewed-by: Miriam Rachel Korenblit <miriam.rachel.korenblit@intel.com>
Link: https://msgid.link/20240523120533.677025eb4a92.I44c091029ef113c294e8fe8b9bf871bf5dbeeb27@changeid
Signed-off-by: Johannes Berg <johannes.berg@intel.com>

Johannes Berg 2 years ago 4dc3a389 44c06bbd

+2 -1

1 changed file

expand all

net

wireless

scan.c

+2 -1

net/wireless/scan.c

··· 2128 2128 struct ieee80211_he_operation *he_oper; 2129 2129 2130 2130 tmp = cfg80211_find_ext_elem(WLAN_EID_EXT_HE_OPERATION, ie, ielen); 2131 - if (tmp && tmp->datalen >= sizeof(*he_oper) + 1) { 2131 + if (tmp && tmp->datalen >= sizeof(*he_oper) + 1 && 2132 + tmp->datalen >= ieee80211_he_oper_size(tmp->data + 1)) { 2132 2133 const struct ieee80211_he_6ghz_oper *he_6ghz_oper; 2133 2134 2134 2135 he_oper = (void *)&tmp->data[1];