diff options
| author | Veerendranath Jakkam <quic_vjakkam@quicinc.com> | 2025-04-24 18:01:42 +0530 |
|---|---|---|
| committer | Greg Kroah-Hartman <gregkh@linuxfoundation.org> | 2025-05-18 08:24:47 +0200 |
| commit | 9423f6da825172b8dc60d4688ed3d147291c3be9 (patch) | |
| tree | 4f299385694dc674186aa85ad5c251cdf3f085ce | |
| parent | be54b750c333a9db7c3b3686846bb06b07b011fe (diff) | |
wifi: cfg80211: fix out-of-bounds access during multi-link element defragmentation
commit 023c1f2f0609218103cbcb48e0104b144d4a16dc upstream.
Currently during the multi-link element defragmentation process, the
multi-link element length added to the total IEs length when calculating
the length of remaining IEs after the multi-link element in
cfg80211_defrag_mle(). This could lead to out-of-bounds access if the
multi-link element or its corresponding fragment elements are the last
elements in the IEs buffer.
To address this issue, correctly calculate the remaining IEs length by
deducting the multi-link element end offset from total IEs end offset.
Cc: stable@vger.kernel.org
Fixes: 2481b5da9c6b ("wifi: cfg80211: handle BSS data contained in ML probe responses")
Signed-off-by: Veerendranath Jakkam <quic_vjakkam@quicinc.com>
Link: https://patch.msgid.link/20250424-fix_mle_defragmentation_oob_access-v1-1-84412a1743fa@quicinc.com
Signed-off-by: Johannes Berg <johannes.berg@intel.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
| -rw-r--r-- | net/wireless/scan.c | 2 |
1 files changed, 1 insertions, 1 deletions
diff --git a/net/wireless/scan.c b/net/wireless/scan.c index 18e132cdea72..f0dd1f448d4d 100644 --- a/net/wireless/scan.c +++ b/net/wireless/scan.c @@ -2644,7 +2644,7 @@ cfg80211_defrag_mle(const struct element *mle, const u8 *ie, size_t ielen, /* Required length for first defragmentation */ buf_len = mle->datalen - 1; for_each_element(elem, mle->data + mle->datalen, - ielen - sizeof(*mle) + mle->datalen) { + ie + ielen - mle->data - mle->datalen) { if (elem->id != WLAN_EID_FRAGMENT) break; |