diff mbox series

[05/16,BUGFIX] cfg80211: check fixed size before ieee80211_he_oper_size()

Message ID iwlwifi.20211129152938.690c735dc565.I3a12ea2785ff7fd58b69cd462ed441d75174a163@changeid
State New
Headers show
Series cfg80211/mac80211 patches from our internal tree 2021-11-29 | expand

Commit Message

Luca Coelho Nov. 29, 2021, 1:32 p.m. UTC 
From: Johannes Berg <johannes.berg@intel.com>

We need to check the fixed portion is present before calling
ieee80211_he_oper_size() so that we don't access fields in
the static portion that don't exist.

type=bugfix
ticket=none
fixes=I130f678e4aa390973ab39d838bbfe7b2d54bff8e

Signed-off-by: Johannes Berg <johannes.berg@intel.com>
Reviewed-on: https://git-amr-3.devtools.intel.com/gerrit/332428
automatic-review: ec ger unix iil jenkins <EC.GER.UNIX.IIL.JENKINS@INTEL.COM>
Tested-by: ec ger unix iil jenkins <EC.GER.UNIX.IIL.JENKINS@INTEL.COM>
Reviewed-by: Luciano Coelho <luciano.coelho@intel.com>
---
 net/wireless/scan.c | 8 +++++---
 1 file changed, 5 insertions(+), 3 deletions(-)
diff mbox series

Patch

diff --git a/net/wireless/scan.c b/net/wireless/scan.c
index 3fd0757ead29..fddcb60b5b60 100644
--- a/net/wireless/scan.c
+++ b/net/wireless/scan.c
@@ -1802,14 +1802,16 @@  int cfg80211_get_ies_channel_number(const u8 *ie, size_t ielen,
 
 	if (channel->band == NL80211_BAND_6GHZ) {
 		const struct element *elem;
+		struct ieee80211_he_operation *he_oper;
 
 		elem = cfg80211_find_ext_elem(WLAN_EID_EXT_HE_OPERATION, ie,
 					      ielen);
-		if (elem && elem->datalen >= ieee80211_he_oper_size(&elem->data[1])) {
-			struct ieee80211_he_operation *he_oper =
-				(void *)(&elem->data[1]);
+		if (elem && elem->datalen >= sizeof(*he_oper) &&
+		    elem->datalen >= ieee80211_he_oper_size(&elem->data[1])) {
 			const struct ieee80211_he_6ghz_oper *he_6ghz_oper;
 
+			he_oper = (void *)&elem->data[1];
+
 			he_6ghz_oper = ieee80211_he_6ghz_oper(he_oper);
 			if (!he_6ghz_oper)
 				return channel;