> On 29 Mar 2024, at 5:28 AM, Johannes Berg <johannes@xxxxxxxxxxxxxxxx> wrote: > > On Thu, 2024-03-28 at 11:57 +1100, Richard Kinder wrote: >> Logic inside ieee80211_rx_mgmt_beacon accesses the >> mgmt->u.beacon.timestamp field without first checking whether the beacon >> received is non-S1G format. >> >> Fix the problem by checking the beacon is non-S1G format to avoid access >> of the mgmt->u.beacon.timestamp field. > > Huh, how did that end up being a problem, since iwlmvm with older > devices is the only driver using that flag, and it doesn't support S1G? > > It's still correct, but it shouldn't be a problem now? > > johannes Hi Johannes, Thanks for the quick reply, much appreciated. The motivation behind the patch was that a similar pattern is shown in lines 6315-6316: the same flag is checked along with !ieee80211_is_s1g_beacon. If it is guaranteed that an interface running at non-S1G frequencies cannot receive an S1G formatted frame at this point in the receive path, then the check for is_s1g_beacon can be removed. However, could a malicious actor form an S1G formatted frame with appropriate MAC addresses and trigger this path on the older iwlmvm devices? Regards, Richard
