Patch "mac80211: validate extended element ID is present" has been added to the 5.10-stable tree

<gregkh@xxxxxxxxxxxxxxxxxxx> · Fri, 17 Dec 2021 14:08:20 +0100

This is a note to let you know that I've just added the patch titled

    mac80211: validate extended element ID is present

to the 5.10-stable tree which can be found at:
    http://www.kernel.org/git/?p=linux/kernel/git/stable/stable-queue.git;a=summary

The filename of the patch is:
     mac80211-validate-extended-element-id-is-present.patch
and it can be found in the queue-5.10 subdirectory.

If you, or anyone else, feels it should not be added to the stable tree,
please let <stable@xxxxxxxxxxxxxxx> know about it.


>From 768c0b19b50665e337c96858aa2b7928d6dcf756 Mon Sep 17 00:00:00 2001
From: Johannes Berg <johannes.berg@xxxxxxxxx>
Date: Sat, 11 Dec 2021 20:10:24 +0100
Subject: mac80211: validate extended element ID is present

From: Johannes Berg <johannes.berg@xxxxxxxxx>

commit 768c0b19b50665e337c96858aa2b7928d6dcf756 upstream.

Before attempting to parse an extended element, verify that
the extended element ID is present.

Fixes: 41cbb0f5a295 ("mac80211: add support for HE")
Reported-by: syzbot+59bdff68edce82e393b6@xxxxxxxxxxxxxxxxxxxxxxxxx
Link: https://lore.kernel.org/r/20211211201023.f30a1b128c07.I5cacc176da94ba316877c6e10fe3ceec8b4dbd7d@changeid
Cc: stable@xxxxxxxxxxxxxxx
Signed-off-by: Johannes Berg <johannes.berg@xxxxxxxxx>
Signed-off-by: Greg Kroah-Hartman <gregkh@xxxxxxxxxxxxxxxxxxx>
---
 net/mac80211/util.c |    7 ++++++-
 1 file changed, 6 insertions(+), 1 deletion(-)

--- a/net/mac80211/util.c
+++ b/net/mac80211/util.c
@@ -950,7 +950,12 @@ static void ieee80211_parse_extension_el
 					      struct ieee802_11_elems *elems)
 {
 	const void *data = elem->data + 1;
-	u8 len = elem->datalen - 1;
+	u8 len;
+
+	if (!elem->datalen)
+		return;
+
+	len = elem->datalen - 1;
 
 	switch (elem->data[0]) {
 	case WLAN_EID_EXT_HE_MU_EDCA:


Patches currently in stable-queue which might be from johannes.berg@xxxxxxxxx are

queue-5.10/mac80211-validate-extended-element-id-is-present.patch
queue-5.10/mac80211-fix-regression-in-ssn-handling-of-addba-tx.patch
queue-5.10/mac80211-mark-tx-during-stop-for-tx-in-in_reconfig.patch
queue-5.10/mac80211-send-addba-requests-using-the-tid-queue-of-the-aggregation-session.patch






