Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from vger.kernel.org (vger.kernel.org [23.128.96.18]) by smtp.lore.kernel.org (Postfix) with ESMTP id A408BC433FE for ; Mon, 29 Nov 2021 13:35:07 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1345372AbhK2NiX (ORCPT ); Mon, 29 Nov 2021 08:38:23 -0500 Received: from paleale.coelho.fi ([176.9.41.70]:49790 "EHLO farmhouse.coelho.fi" rhost-flags-OK-OK-OK-FAIL) by vger.kernel.org with ESMTP id S1377721AbhK2NgR (ORCPT ); Mon, 29 Nov 2021 08:36:17 -0500 Received: from 91-156-6-193.elisa-laajakaista.fi ([91.156.6.193] helo=kveik.ger.corp.intel.com) by farmhouse.coelho.fi with esmtpsa (TLS1.3) tls TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (Exim 4.94.2) (envelope-from ) id 1mrgm9-0012xo-Lk; Mon, 29 Nov 2021 15:32:58 +0200 From: Luca Coelho To: johannes@sipsolutions.net Cc: luca@coelho.fi, linux-wireless@vger.kernel.org Date: Mon, 29 Nov 2021 15:32:37 +0200 Message-Id: X-Mailer: git-send-email 2.33.1 In-Reply-To: <20211129133248.83829-1-luca@coelho.fi> References: <20211129133248.83829-1-luca@coelho.fi> MIME-Version: 1.0 Content-Transfer-Encoding: 8bit Subject: [PATCH 05/16] [BUGFIX] cfg80211: check fixed size before ieee80211_he_oper_size() Precedence: bulk List-ID: X-Mailing-List: linux-wireless@vger.kernel.org From: Johannes Berg We need to check the fixed portion is present before calling ieee80211_he_oper_size() so that we don't access fields in the static portion that don't exist. type=bugfix ticket=none fixes=I130f678e4aa390973ab39d838bbfe7b2d54bff8e Signed-off-by: Johannes Berg Reviewed-on: https://git-amr-3.devtools.intel.com/gerrit/332428 automatic-review: ec ger unix iil jenkins Tested-by: ec ger unix iil jenkins Reviewed-by: Luciano Coelho --- net/wireless/scan.c | 8 +++++--- 1 file changed, 5 insertions(+), 3 deletions(-) diff --git a/net/wireless/scan.c b/net/wireless/scan.c index 3fd0757ead29..fddcb60b5b60 100644 --- a/net/wireless/scan.c +++ b/net/wireless/scan.c @@ -1802,14 +1802,16 @@ int cfg80211_get_ies_channel_number(const u8 *ie, size_t ielen, if (channel->band == NL80211_BAND_6GHZ) { const struct element *elem; + struct ieee80211_he_operation *he_oper; elem = cfg80211_find_ext_elem(WLAN_EID_EXT_HE_OPERATION, ie, ielen); - if (elem && elem->datalen >= ieee80211_he_oper_size(&elem->data[1])) { - struct ieee80211_he_operation *he_oper = - (void *)(&elem->data[1]); + if (elem && elem->datalen >= sizeof(*he_oper) && + elem->datalen >= ieee80211_he_oper_size(&elem->data[1])) { const struct ieee80211_he_6ghz_oper *he_6ghz_oper; + he_oper = (void *)&elem->data[1]; + he_6ghz_oper = ieee80211_he_6ghz_oper(he_oper); if (!he_6ghz_oper) return channel; -- 2.33.1