This is a note to let you know that I've just added the patch titled
wifi: mac80211: check S1G action frame size
to the 6.5-stable tree which can be found at:
http://www.kernel.org/git/?p=linux/kernel/git/stable/stable-queue.git;a=summary
The filename of the patch is:
wifi-mac80211-check-s1g-action-frame-size.patch
and it can be found in the queue-6.5 subdirectory.
If you, or anyone else, feels it should not be added to the stable tree,
please let <stable@xxxxxxxxxxxxxxx> know about it.
commit 7f7f4659ca96cef28a401bf2d2046a8b87af4da5
Author: Johannes Berg <johannes.berg@xxxxxxxxx>
Date: Tue Aug 15 17:51:05 2023 +0200
wifi: mac80211: check S1G action frame size
[ Upstream commit 19e4a47ee74718a22e963e8a647c8c3bfe8bb05c ]
Before checking the action code, check that it even
exists in the frame.
Reported-by: syzbot+be9c824e6f269d608288@xxxxxxxxxxxxxxxxxxxxxxxxx
Signed-off-by: Johannes Berg <johannes.berg@xxxxxxxxx>
Signed-off-by: Sasha Levin <sashal@xxxxxxxxxx>
diff --git a/net/mac80211/rx.c b/net/mac80211/rx.c
index 0af2599c17e8d..e751cda5eef69 100644
--- a/net/mac80211/rx.c
+++ b/net/mac80211/rx.c
@@ -3734,6 +3734,10 @@ ieee80211_rx_h_action(struct ieee80211_rx_data *rx)
break;
goto queue;
case WLAN_CATEGORY_S1G:
+ if (len < offsetofend(typeof(*mgmt),
+ u.action.u.s1g.action_code))
+ break;
+
switch (mgmt->u.action.u.s1g.action_code) {
case WLAN_S1G_TWT_SETUP:
case WLAN_S1G_TWT_TEARDOWN:
