[PATCH AUTOSEL 6.4 29/41] wifi: mac80211: check S1G action frame size

From: Sasha Levin
Date: Fri Sep 08 2023 - 14:20:54 EST

Next message: Sasha Levin: "[PATCH AUTOSEL 6.4 33/41] wifi: mac80211: check for station first in client probe"
Previous message: Sasha Levin: "[PATCH AUTOSEL 6.4 28/41] wifi: iwlwifi: pcie: avoid a warning in case prepare card failed"
In reply to: Sasha Levin: "[PATCH AUTOSEL 6.4 28/41] wifi: iwlwifi: pcie: avoid a warning in case prepare card failed"
Next in thread: Sasha Levin: "[PATCH AUTOSEL 6.4 33/41] wifi: mac80211: check for station first in client probe"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

From: Johannes Berg <johannes.berg@xxxxxxxxx>

[ Upstream commit 19e4a47ee74718a22e963e8a647c8c3bfe8bb05c ]

Before checking the action code, check that it even
exists in the frame.

Reported-by: syzbot+be9c824e6f269d608288@xxxxxxxxxxxxxxxxxxxxxxxxx
Signed-off-by: Johannes Berg <johannes.berg@xxxxxxxxx>
Signed-off-by: Sasha Levin <sashal@xxxxxxxxxx>
---
net/mac80211/rx.c | 4 ++++
1 file changed, 4 insertions(+)

diff --git a/net/mac80211/rx.c b/net/mac80211/rx.c
index fc6e130364da1..8580caa470d6d 100644
--- a/net/mac80211/rx.c
+++ b/net/mac80211/rx.c
@@ -3713,6 +3713,10 @@ ieee80211_rx_h_action(struct ieee80211_rx_data *rx)
break;
goto queue;
case WLAN_CATEGORY_S1G:
+ if (len < offsetofend(typeof(*mgmt),
+ u.action.u.s1g.action_code))
+ break;
+
switch (mgmt->u.action.u.s1g.action_code) {
case WLAN_S1G_TWT_SETUP:
case WLAN_S1G_TWT_TEARDOWN:
--
2.40.1

Next message: Sasha Levin: "[PATCH AUTOSEL 6.4 33/41] wifi: mac80211: check for station first in client probe"
Previous message: Sasha Levin: "[PATCH AUTOSEL 6.4 28/41] wifi: iwlwifi: pcie: avoid a warning in case prepare card failed"
In reply to: Sasha Levin: "[PATCH AUTOSEL 6.4 28/41] wifi: iwlwifi: pcie: avoid a warning in case prepare card failed"
Next in thread: Sasha Levin: "[PATCH AUTOSEL 6.4 33/41] wifi: mac80211: check for station first in client probe"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]