projects / platform / kernel / linux-rpi.git / commitdiff
? search:
summary | shortlog | log | commit | commitdiff | tree
raw | patch | inline | side by side (parent: d61f427)
mac80211: parse only HE capability elements with valid size
authorJohannes Berg <johannes.berg@intel.com>
Mon, 14 Feb 2022 16:29:22 +0000 (17:29 +0100)
committerJohannes Berg <johannes.berg@intel.com>
Wed, 16 Feb 2022 14:40:48 +0000 (15:40 +0100)
The code validates the HE capability element size later,
but slightly wrong, so use the new helper to do it right
and only accept it if it has a good size.

Link: https://lore.kernel.org/r/20220214172920.b5b06f264a61.I645ac1e2dc0ace223ef3e551cd5a71c88bd55e04@changeid
Signed-off-by: Johannes Berg <johannes.berg@intel.com>
net/mac80211/util.c patch | blob | history

diff --git a/net/mac80211/util.c b/net/mac80211/util.c
index abc29df6834c0bc5b6b66e2a1552b8170ea0ca5f..1a8e1879438714a176f3280d47fb40b59ee21d1b 100644 (file)
--- a/net/mac80211/util.c
+++ b/net/mac80211/util.c
@@ -973,8 +973,10 @@ static void ieee80211_parse_extension_element(u32 *crc,
                }
                break;
        case WLAN_EID_EXT_HE_CAPABILITY:
-               elems->he_cap = data;
-               elems->he_cap_len = len;
+               if (ieee80211_he_capa_size_ok(data, len)) {
+                       elems->he_cap = data;
+                       elems->he_cap_len = len;
+               }
                break;
        case WLAN_EID_EXT_HE_OPERATION:
                if (len >= sizeof(*elems->he_operation) &&
Domain: System / Kernel;