From: Johannes Berg <johannes.berg@xxxxxxxxx> We need to check the fixed portion is present before calling ieee80211_he_oper_size() so that we don't access fields in the static portion that don't exist. type=bugfix ticket=none fixes=I130f678e4aa390973ab39d838bbfe7b2d54bff8e Signed-off-by: Johannes Berg <johannes.berg@xxxxxxxxx> Reviewed-on: https://git-amr-3.devtools.intel.com/gerrit/332428 automatic-review: ec ger unix iil jenkins <EC.GER.UNIX.IIL.JENKINS@xxxxxxxxx> Tested-by: ec ger unix iil jenkins <EC.GER.UNIX.IIL.JENKINS@xxxxxxxxx> Reviewed-by: Luciano Coelho <luciano.coelho@xxxxxxxxx> --- net/wireless/scan.c | 8 +++++--- 1 file changed, 5 insertions(+), 3 deletions(-) diff --git a/net/wireless/scan.c b/net/wireless/scan.c index 3fd0757ead29..fddcb60b5b60 100644 --- a/net/wireless/scan.c +++ b/net/wireless/scan.c @@ -1802,14 +1802,16 @@ int cfg80211_get_ies_channel_number(const u8 *ie, size_t ielen, if (channel->band == NL80211_BAND_6GHZ) { const struct element *elem; + struct ieee80211_he_operation *he_oper; elem = cfg80211_find_ext_elem(WLAN_EID_EXT_HE_OPERATION, ie, ielen); - if (elem && elem->datalen >= ieee80211_he_oper_size(&elem->data[1])) { - struct ieee80211_he_operation *he_oper = - (void *)(&elem->data[1]); + if (elem && elem->datalen >= sizeof(*he_oper) && + elem->datalen >= ieee80211_he_oper_size(&elem->data[1])) { const struct ieee80211_he_6ghz_oper *he_6ghz_oper; + he_oper = (void *)&elem->data[1]; + he_6ghz_oper = ieee80211_he_6ghz_oper(he_oper); if (!he_6ghz_oper) return channel; -- 2.33.1
