wifi: cfg80211: fix off-by-one in element defrag

[ Upstream commit 43125539fc69c6aa63d34b516939431391bddeac ]

If a fragment is the last element, it's erroneously not
accepted. Fix that.

Fixes: f837a653a097 ("wifi: cfg80211: add element defragmentation helper")
Signed-off-by: Johannes Berg <johannes.berg@intel.com>
Signed-off-by: Gregory Greenman <gregory.greenman@intel.com>
Link: https://lore.kernel.org/r/20230827135854.adca9fbd3317.I6b2df45eb71513f3e48efd196ae3cddec362dc1c@changeid
Signed-off-by: Johannes Berg <johannes.berg@intel.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>

diff --git a/net/wireless/scan.c b/net/wireless/scan.c
index 8210a60..e4cc620 100644 (file)
--- a/net/wireless/scan.c
+++ b/net/wireless/scan.c
@@ -2358,8 +2358,8 @@ ssize_t cfg80211_defragment_element(const struct element *elem, const u8 *ies,
 
        /* elem might be invalid after the memmove */
        next = (void *)(elem->data + elem->datalen);
-
        elem_datalen = elem->datalen;
+
        if (elem->id == WLAN_EID_EXTENSION) {
                copied = elem->datalen - 1;
                if (copied > data_len)
@@ -2380,7 +2380,7 @@ ssize_t cfg80211_defragment_element(const struct element *elem, const u8 *ies,
 
        for (elem = next;
             elem->data < ies + ieslen &&
-               elem->data + elem->datalen < ies + ieslen;
+               elem->data + elem->datalen <= ies + ieslen;
             elem = next) {
                /* elem might be invalid after the memmove */
                next = (void *)(elem->data + elem->datalen);