wifi: cfg80211: reject HTC bit for management frames

[ Upstream commit be06a8c7313943109fa870715356503c4c709cbc ] Management frames sent by userspace should never have the order/HTC bit set, reject that. It could also cause some confusion with the length of the buffer and the header so the validation might end up wrong. Link: https://patch.msgid.link/20250718202307.97a0455f0f35.I1805355c7e331352df16611839bc8198c855a33f@changeid Signed-off-by: Johannes Berg <johannes.berg@intel.com> Signed-off-by: Sasha Levin <sashal@kernel.org>
author: Johannes Berg <johannes.berg@intel.com> 2025-07-18 20:23:06 +0200
committer: Greg Kroah-Hartman <gregkh@linuxfoundation.org> 2025-08-20 18:30:29 +0200
commit: 8ab6e67ae52462f9594d7b74cd9678f14bb031b1 (patch)
tree: 17863de6c175932f23895a4013cf294ffbb2a617
parent: 1d325fed242d44c322d41d23396ee3148894c4d2 (diff)
1 files changed, 2 insertions, 1 deletions
diff --git a/net/wireless/mlme.c b/net/wireless/mlme.c
index a5eb92d93074..d1a66410b9c5 100644
--- a/net/wireless/mlme.c
+++ b/net/wireless/mlme.c
@@ -843,7 +843,8 @@ int cfg80211_mlme_mgmt_tx(struct cfg80211_registered_device *rdev,
 
 	mgmt = (const struct ieee80211_mgmt *)params->buf;
 
-	if (!ieee80211_is_mgmt(mgmt->frame_control))
+	if (!ieee80211_is_mgmt(mgmt->frame_control) ||
+	    ieee80211_has_order(mgmt->frame_control))
 		return -EINVAL;
 
 	stype = le16_to_cpu(mgmt->frame_control) & IEEE80211_FCTL_STYPE;
author	Johannes Berg <johannes.berg@intel.com>	2025-07-18 20:23:06 +0200
committer	Greg Kroah-Hartman <gregkh@linuxfoundation.org>	2025-08-20 18:30:29 +0200
commit	8ab6e67ae52462f9594d7b74cd9678f14bb031b1 (patch)
tree	17863de6c175932f23895a4013cf294ffbb2a617
parent	1d325fed242d44c322d41d23396ee3148894c4d2 (diff)