Re: [PATCH] wifi: ieee80211: validate MLE common info length

From: Johannes Berg

Date: Thu Jun 11 2026 - 08:14:52 EST

On Wed, 2026-06-10 at 23:43 +0800, Zhao Li wrote:
> ieee80211_mle_size_ok() verifies that the advertised common information
> length is large enough for the fixed fields that are present, but it does
> not verify that the length also fits in the containing element.
>
> Reconfiguration and Priority Access MLEs also carry a common information
> length octet, but currently skip the common-length check. Reconfiguration
> additionally fails to include the length octet in the minimum common size.
>
> Validate the common information length for Reconfiguration and Priority
> Access MLEs, account for the Reconfiguration length octet, and reject
> common lengths that exceed the element body.
>
> Fixes: 0f48b8b88aa9 ("wifi: ieee80211: add definitions for multi-link element")
> Cc: stable@xxxxxxxxxxxxxxx
> Signed-off-by: Zhao Li <enderaoelyther@xxxxxxxxx>
> ---
> include/linux/ieee80211-eht.h | 5 ++++-
> 1 file changed, 4 insertions(+), 1 deletion(-)
>
> diff --git a/include/linux/ieee80211-eht.h b/include/linux/ieee80211-eht.h
> index a97b1d01f3acf..d875045abf6cc 100644
> --- a/include/linux/ieee80211-eht.h
> +++ b/include/linux/ieee80211-eht.h
> @@ -878,6 +878,8 @@ static inline bool ieee80211_mle_size_ok(const u8 *data, size_t len)
> check_common_len = true;
> break;
> case IEEE80211_ML_CONTROL_TYPE_RECONF:
> + common += 1;
> + check_common_len = true;
> if (control & IEEE80211_MLC_RECONF_PRES_MLD_MAC_ADDR)
> common += ETH_ALEN;
> if (control & IEEE80211_MLC_RECONF_PRES_EML_CAPA)
> @@ -893,6 +895,7 @@ static inline bool ieee80211_mle_size_ok(const u8 *data, size_t len)
> break;
> case IEEE80211_ML_CONTROL_TYPE_PRIO_ACCESS:
> common = ETH_ALEN + 1;
> + check_common_len = true;
> break;

You just made check_common_len redundant, it's now always true.

I originally introduced it because variable[0] wasn't always common_len,
but that actually got fixed in later drafts, and we should've adjusted
that when we added +1 to all of these, e.g. commit 19aa842dcbb58.

We should probably more comprehensively change the whole thing so that
common_info_len is a separate u8 rather than variable[0], but that's
going to be much harder to do.

A smaller but probably better change would be to use the sub-structs
here that are defined, e.g. struct ieee80211_mle_preq_common_info,
struct ieee80211_mle_tdls_common_info and struct
ieee80211_mle_basic_common_info. But the layout is a bit stupid even
that way, dunno.

johannes