wifi: remove zero-length arrays · tjh.dev/kernel@a85b854

Linux kernel mirror (for testing) git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git

kernel os linux

wifi: remove zero-length arrays

All of these are really meant to be variable-length, and
in the case of s1g_beacon it's actually accessed. Make that
one in particular, and a couple of others (that aren't used
as arrays now), actually variable.

Reported-by: syzbot+fd222bb38e916df26fa4@syzkaller.appspotmail.com
Fixes: 1e1f706fc2ce ("wifi: cfg80211/mac80211: correctly parse S1G beacon optional elements")
Link: https://patch.msgid.link/20250614003037.a3e82e882251.I2e8b58e56ff2a9f8b06c66f036578b7c1d4e4685@changeid
Signed-off-by: Johannes Berg <johannes.berg@intel.com>

Johannes Berg 10 months ago a85b8544 27605c8c

+9 -9

1 changed file

expand all

include

linux

ieee80211.h

+9 -9

include/linux/ieee80211.h

··· 1278 1278 u8 sa[ETH_ALEN]; 1279 1279 __le32 timestamp; 1280 1280 u8 change_seq; 1281 - u8 variable[0]; 1281 + u8 variable[]; 1282 1282 } __packed s1g_beacon; 1283 1283 } u; 1284 1284 } __packed __aligned(2); ··· 1536 1536 u8 action_code; 1537 1537 u8 dialog_token; 1538 1538 __le16 capability; 1539 - u8 variable[0]; 1539 + u8 variable[]; 1540 1540 } __packed tdls_discover_resp; 1541 1541 struct { 1542 1542 u8 action_code; ··· 1721 1721 struct { 1722 1722 u8 dialog_token; 1723 1723 __le16 capability; 1724 - u8 variable[0]; 1724 + u8 variable[]; 1725 1725 } __packed setup_req; 1726 1726 struct { 1727 1727 __le16 status_code; 1728 1728 u8 dialog_token; 1729 1729 __le16 capability; 1730 - u8 variable[0]; 1730 + u8 variable[]; 1731 1731 } __packed setup_resp; 1732 1732 struct { 1733 1733 __le16 status_code; 1734 1734 u8 dialog_token; 1735 - u8 variable[0]; 1735 + u8 variable[]; 1736 1736 } __packed setup_cfm; 1737 1737 struct { 1738 1738 __le16 reason_code; 1739 - u8 variable[0]; 1739 + u8 variable[]; 1740 1740 } __packed teardown; 1741 1741 struct { 1742 1742 u8 dialog_token; 1743 - u8 variable[0]; 1743 + u8 variable[]; 1744 1744 } __packed discover_req; 1745 1745 struct { 1746 1746 u8 target_channel; 1747 1747 u8 oper_class; 1748 - u8 variable[0]; 1748 + u8 variable[]; 1749 1749 } __packed chan_switch_req; 1750 1750 struct { 1751 1751 __le16 status_code; 1752 - u8 variable[0]; 1752 + u8 variable[]; 1753 1753 } __packed chan_switch_resp; 1754 1754 } u; 1755 1755 } __packed;