wifi: mac80211: check S1G action frame size

[ Upstream commit 19e4a47ee74718a22e963e8a647c8c3bfe8bb05c ]

Before checking the action code, check that it even
exists in the frame.

Reported-by: syzbot+be9c824e6f269d608288@syzkaller.appspotmail.com
Signed-off-by: Johannes Berg <johannes.berg@intel.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>

diff --git a/net/mac80211/rx.c b/net/mac80211/rx.c
index 55dc061..c4c8003 100644 (file)
--- a/net/mac80211/rx.c
+++ b/net/mac80211/rx.c
@@ -3625,6 +3625,10 @@ ieee80211_rx_h_action(struct ieee80211_rx_data *rx)
                        break;
                goto queue;
        case WLAN_CATEGORY_S1G:
+               if (len < offsetofend(typeof(*mgmt),
+                                     u.action.u.s1g.action_code))
+                       break;
+
                switch (mgmt->u.action.u.s1g.action_code) {
                case WLAN_S1G_TWT_SETUP:
                case WLAN_S1G_TWT_TEARDOWN: