wifi: cfg80211: validate HE operation element parsing

commit 4dc3a3893dae5a7f73e5809273aca0f1f3548d55 upstream. Validate that the HE operation element has the correct length before parsing it. Cc: stable@vger.kernel.org Fixes: 645f3d85129d ("wifi: cfg80211: handle UHB AP and STA power type") Reviewed-by: Miriam Rachel Korenblit <miriam.rachel.korenblit@intel.com> Link: https://msgid.link/20240523120533.677025eb4a92.I44c091029ef113c294e8fe8b9bf871bf5dbeeb27@changeid Signed-off-by: Johannes Berg <johannes.berg@intel.com> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
author: Johannes Berg <johannes.berg@intel.com> 2024-05-23 13:05:33 +0300
committer: Greg Kroah-Hartman <gregkh@linuxfoundation.org> 2024-06-21 15:40:31 +0300
commit: f15e3e13e14cc5ae8f950c16efe706add18ac8e2 (patch)
tree: b5b706b64942558c7506befddbf29fa089f52adf /net
parent: fad7edbd7f90be0c43abfa24f1dc116d1acf8fed (diff)
download: linux-f15e3e13e14cc5ae8f950c16efe706add18ac8e2.tar.xz
1 files changed, 2 insertions, 1 deletions
diff --git a/net/wireless/scan.c b/net/wireless/scan.c
index 9b0dbcd6cf79..ecea8c08e270 100644
--- a/net/wireless/scan.c
+++ b/net/wireless/scan.c
@@ -2128,7 +2128,8 @@ static bool cfg80211_6ghz_power_type_valid(const u8 *ie, size_t ielen,
 	struct ieee80211_he_operation *he_oper;
 
 	tmp = cfg80211_find_ext_elem(WLAN_EID_EXT_HE_OPERATION, ie, ielen);
-	if (tmp && tmp->datalen >= sizeof(*he_oper) + 1) {
+	if (tmp && tmp->datalen >= sizeof(*he_oper) + 1 &&
+	    tmp->datalen >= ieee80211_he_oper_size(tmp->data + 1)) {
 		const struct ieee80211_he_6ghz_oper *he_6ghz_oper;
 
 		he_oper = (void *)&tmp->data[1];
author	Johannes Berg <johannes.berg@intel.com>	2024-05-23 13:05:33 +0300
committer	Greg Kroah-Hartman <gregkh@linuxfoundation.org>	2024-06-21 15:40:31 +0300
commit	f15e3e13e14cc5ae8f950c16efe706add18ac8e2 (patch)
tree	b5b706b64942558c7506befddbf29fa089f52adf /net
parent	fad7edbd7f90be0c43abfa24f1dc116d1acf8fed (diff)
download	linux-f15e3e13e14cc5ae8f950c16efe706add18ac8e2.tar.xz