Dear Linux Developers for NETWORKING and MAC80211, We are curious about the use of `struct cfg80211_mbssid_elems *dst` in function `ieee80211_copy_mbssid_beacon`. The definition of `struct cfg80211_mbssid_elems` is at https://elixir.bootlin.com/linux/v6.10.6/source/include/net/cfg80211.h#L1304. ``` struct cfg80211_mbssid_elems { u8 cnt; struct { const u8 *data; size_t len; } elem[] __counted_by(cnt); }; ``` Our question is: The `elem` member of `struct cfg80211_mbssid_elems` is annotated with "__counted_by", which means the array size is indicated by `cnt`. Only if we set `cnt` before accessing `elem[i]`, the flexible member `elem` can be properly bounds-checked at run-time when enabling CONFIG_UBSAN_BOUNDS and CONFIG_FORTIFY_SOURCE. Or there will be a warning from each array access that is prior to the initialization because the number of elements is zero. In function `ieee80211_copy_mbssid_beacon` at https://elixir.bootlin.com/linux/v6.10.6/source/net/mac80211/cfg.c#L1073, we think it's needed to relocate `dst->cnt = src->cnt` before accessing `dst->elem[i]`. And https://elixir.bootlin.com/linux/v6.10.6/source/net/mac80211/cfg.c#L1090 is the same. Here is a fix example of a similar situation : https://lore.kernel.org/stable/20240613113225.898955993@xxxxxxxxxxxxxxxxxxx/. Please kindly correct us if we missed any key information. Looking forward to your response! Best, Haoyu Li
