mirror of
https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git
synced 2024-12-29 17:25:38 +00:00
wifi: cfg80211: correct S1G beacon length calculation
The minimum header length calculation (equivalent to the start
of the elements) for the S1G long beacon erroneously required
only up to the start of u.s1g_beacon rather than the start of
u.s1g_beacon.variable. Fix that, and also shuffle the branches
around a bit to not assign useless values that are overwritten
later.
Reported-by: syzbot+0f3afa93b91202f21939@syzkaller.appspotmail.com
Fixes: 9eaffe5078
("cfg80211: convert S1G beacon to scan results")
Link: https://patch.msgid.link/20240724132912.9662972db7c1.I8779675b5bbda4994cc66f876b6b87a2361c3c0b@changeid
Signed-off-by: Johannes Berg <johannes.berg@intel.com>
This commit is contained in:
parent
baeaabf970
commit
6873cc4416
@ -3178,8 +3178,7 @@ cfg80211_inform_bss_frame_data(struct wiphy *wiphy,
|
||||
struct ieee80211_mgmt *mgmt, size_t len,
|
||||
gfp_t gfp)
|
||||
{
|
||||
size_t min_hdr_len = offsetof(struct ieee80211_mgmt,
|
||||
u.probe_resp.variable);
|
||||
size_t min_hdr_len;
|
||||
struct ieee80211_ext *ext = NULL;
|
||||
enum cfg80211_bss_frame_type ftype;
|
||||
u16 beacon_interval;
|
||||
@ -3202,10 +3201,16 @@ cfg80211_inform_bss_frame_data(struct wiphy *wiphy,
|
||||
|
||||
if (ieee80211_is_s1g_beacon(mgmt->frame_control)) {
|
||||
ext = (void *) mgmt;
|
||||
min_hdr_len = offsetof(struct ieee80211_ext, u.s1g_beacon);
|
||||
if (ieee80211_is_s1g_short_beacon(mgmt->frame_control))
|
||||
min_hdr_len = offsetof(struct ieee80211_ext,
|
||||
u.s1g_short_beacon.variable);
|
||||
else
|
||||
min_hdr_len = offsetof(struct ieee80211_ext,
|
||||
u.s1g_beacon.variable);
|
||||
} else {
|
||||
/* same for beacons */
|
||||
min_hdr_len = offsetof(struct ieee80211_mgmt,
|
||||
u.probe_resp.variable);
|
||||
}
|
||||
|
||||
if (WARN_ON(len < min_hdr_len))
|
||||
|
Loading…
Reference in New Issue
Block a user