Jeff Johnson <quic_jjohnson@xxxxxxxxxxx> wrote: > While converting struct ieee80211_tim_ie::virtual_map to be a flexible > array it was observed that the TIM IE processing in cw1200_rx_cb() > could potentially process a malformed IE in a manner that could result > in a buffer over-read. Add logic to verify that the TIM IE length is > large enough to hold a valid TIM payload before processing it. > > Signed-off-by: Jeff Johnson <quic_jjohnson@xxxxxxxxxxx> Patch applied to wireless-next.git, thanks. b7bcea9c27b3 wifi: cw1200: Avoid processing an invalid TIM IE -- https://patchwork.kernel.org/project/linux-wireless/patch/20230831-ieee80211_tim_ie-v3-1-e10ff584ab5d@xxxxxxxxxxx/ https://wireless.wiki.kernel.org/en/developers/documentation/submittingpatches
