From 5b386ed2d4979324b0ada3e326716ab6aa87c404 Mon Sep 17 00:00:00 2001 From: Johannes Berg Date: Sun, 27 Aug 2023 14:05:19 +0300 Subject: [PATCH] wifi: cfg80211: fix off-by-one in element defrag [ Upstream commit 43125539fc69c6aa63d34b516939431391bddeac ] If a fragment is the last element, it's erroneously not accepted. Fix that. Fixes: f837a653a097 ("wifi: cfg80211: add element defragmentation helper") Signed-off-by: Johannes Berg Signed-off-by: Gregory Greenman Link: https://lore.kernel.org/r/20230827135854.adca9fbd3317.I6b2df45eb71513f3e48efd196ae3cddec362dc1c@changeid Signed-off-by: Johannes Berg Signed-off-by: Sasha Levin --- net/wireless/scan.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/net/wireless/scan.c b/net/wireless/scan.c index 8210a60..e4cc620 100644 --- a/net/wireless/scan.c +++ b/net/wireless/scan.c @@ -2358,8 +2358,8 @@ ssize_t cfg80211_defragment_element(const struct element *elem, const u8 *ies, /* elem might be invalid after the memmove */ next = (void *)(elem->data + elem->datalen); - elem_datalen = elem->datalen; + if (elem->id == WLAN_EID_EXTENSION) { copied = elem->datalen - 1; if (copied > data_len) @@ -2380,7 +2380,7 @@ ssize_t cfg80211_defragment_element(const struct element *elem, const u8 *ies, for (elem = next; elem->data < ies + ieslen && - elem->data + elem->datalen < ies + ieslen; + elem->data + elem->datalen <= ies + ieslen; elem = next) { /* elem might be invalid after the memmove */ next = (void *)(elem->data + elem->datalen); -- 2.7.4