diff options
| author | Johannes Berg | 2023-08-15 17:51:05 +0200 |
|---|---|---|
| committer | Greg Kroah-Hartman | 2023-09-23 11:11:02 +0200 |
| commit | 7ae7a1378a119780c8c17a6b5fc03011c3bb7029 (patch) | |
| tree | a54706553414c4712af411e29b662ecfc21a2a5a | |
| parent | 1c27b73ffa90e83e72371d6ef68f9ec0eebdc79e (diff) | |
wifi: mac80211: check S1G action frame size
[ Upstream commit 19e4a47ee74718a22e963e8a647c8c3bfe8bb05c ]
Before checking the action code, check that it even
exists in the frame.
Reported-by: syzbot+be9c824e6f269d608288@syzkaller.appspotmail.com
Signed-off-by: Johannes Berg <johannes.berg@intel.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
| -rw-r--r-- | net/mac80211/rx.c | 4 |
1 files changed, 4 insertions, 0 deletions
diff --git a/net/mac80211/rx.c b/net/mac80211/rx.c index 55dc0610e863..c4c80037df91 100644 --- a/net/mac80211/rx.c +++ b/net/mac80211/rx.c @@ -3625,6 +3625,10 @@ ieee80211_rx_h_action(struct ieee80211_rx_data *rx) break; goto queue; case WLAN_CATEGORY_S1G: + if (len < offsetofend(typeof(*mgmt), + u.action.u.s1g.action_code)) + break; + switch (mgmt->u.action.u.s1g.action_code) { case WLAN_S1G_TWT_SETUP: case WLAN_S1G_TWT_TEARDOWN: |