wifi: mac80211: check defragmentation succeeded

[ Upstream commit 98849ba2aa9db46e62720fb686a9d63ed9887806 ]

We need to check that cfg80211_defragment_element()
didn't return an error, since it can fail due to bad
input, and we didn't catch that before.

Fixes: 8eb8dd2ffbbb ("wifi: mac80211: Support link removal using Reconfiguration ML element")
Signed-off-by: Johannes Berg <johannes.berg@intel.com>
Signed-off-by: Miri Korenblit <miriam.rachel.korenblit@intel.com>
Link: https://msgid.link/20231211085121.8595a6b67fc0.I1225edd8f98355e007f96502e358e476c7971d8c@changeid
Signed-off-by: Johannes Berg <johannes.berg@intel.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>

diff --git a/net/mac80211/mlme.c b/net/mac80211/mlme.c
index 0c91989..73f8df0 100644 (file)
--- a/net/mac80211/mlme.c
+++ b/net/mac80211/mlme.c
@@ -5805,7 +5805,7 @@ static void ieee80211_ml_reconfiguration(struct ieee80211_sub_if_data *sdata,
 {
        const struct ieee80211_multi_link_elem *ml;
        const struct element *sub;
-       size_t ml_len;
+       ssize_t ml_len;
        unsigned long removed_links = 0;
        u16 link_removal_timeout[IEEE80211_MLD_MAX_NUM_LINKS] = {};
        u8 link_id;
@@ -5821,6 +5821,8 @@ static void ieee80211_ml_reconfiguration(struct ieee80211_sub_if_data *sdata,
                                             elems->scratch + elems->scratch_len -
                                             elems->scratch_pos,
                                             WLAN_EID_FRAGMENT);
+       if (ml_len < 0)
+               return;
 
        elems->ml_reconf = (const void *)elems->scratch_pos;
        elems->ml_reconf_len = ml_len;