wifi: cfg80211: validate HE operation element parsing

[Johannes Berg <johannes.berg@xxxxxxxxx>]

From: Johannes Berg <johannes.berg@xxxxxxxxx>

commit 4dc3a3893dae5a7f73e5809273aca0f1f3548d55 upstream.

Validate that the HE operation element has the correct
length before parsing it.

Cc: stable@xxxxxxxxxxxxxxx
Fixes: 645f3d85129d ("wifi: cfg80211: handle UHB AP and STA power type")
Reviewed-by: Miriam Rachel Korenblit <miriam.rachel.korenblit@xxxxxxxxx>
Link: https://msgid.link/20240523120533.677025eb4a92.I44c091029ef113c294e8fe8b9bf871bf5dbeeb27@changeid
Signed-off-by: Johannes Berg <johannes.berg@xxxxxxxxx>
Signed-off-by: Greg Kroah-Hartman <gregkh@xxxxxxxxxxxxxxxxxxx>
---
 net/wireless/scan.c | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

diff --git a/net/wireless/scan.c b/net/wireless/scan.c
index 127853877a0a..8daed8232b05 100644
--- a/net/wireless/scan.c
+++ b/net/wireless/scan.c
@@ -2128,7 +2128,8 @@ static bool cfg80211_6ghz_power_type_valid(const u8 *ie, size_t ielen,
 	struct ieee80211_he_operation *he_oper;
 
 	tmp = cfg80211_find_ext_elem(WLAN_EID_EXT_HE_OPERATION, ie, ielen);
-	if (tmp && tmp->datalen >= sizeof(*he_oper) + 1) {
+	if (tmp && tmp->datalen >= sizeof(*he_oper) + 1 &&
+	    tmp->datalen >= ieee80211_he_oper_size(tmp->data + 1)) {
 		const struct ieee80211_he_6ghz_oper *he_6ghz_oper;
 
 		he_oper = (void *)&tmp->data[1];
-- 
2.45.2



Patches currently in stable-queue which might be from johannes.berg@xxxxxxxxx are

queue-6.9/wifi-mac80211-mesh-fix-leak-of-mesh_preq_queue-objec.patch
queue-6.9/wifi-cfg80211-validate-he-operation-element-parsing.patch
queue-6.9/wifi-iwlwifi-dbg_ini-move-iwl_dbg_tlv_free-outside-o.patch
queue-6.9/wifi-iwlwifi-mvm-check-n_ssids-before-accessing-the-.patch
queue-6.9/wifi-iwlwifi-mvm-revert-gen2-tx-a-mpdu-size-to-64.patch
queue-6.9/wifi-mac80211-fix-spatial-reuse-element-size-check.patch
queue-6.9/wifi-cfg80211-lock-wiphy-in-cfg80211_get_station.patch
queue-6.9/wifi-iwlwifi-mvm-don-t-read-past-the-mfuart-notifcat.patch
queue-6.9/wifi-iwlwifi-mvm-set-properly-mac-header.patch
queue-6.9/wifi-mac80211-correctly-parse-spatial-reuse-paramete.patch
queue-6.9/wifi-mt76-mt7615-add-missing-chanctx-ops.patch
queue-6.9/wifi-iwlwifi-mvm-don-t-initialize-csa_work-twice.patch
queue-6.9/wifi-cfg80211-fully-move-wiphy-work-to-unbound-workq.patch
queue-6.9/wifi-mac80211-pass-proper-link-id-for-channel-switch.patch
queue-6.9/net-sched-initialize-noop_qdisc-owner.patch
queue-6.9/wifi-cfg80211-pmsr-use-correct-nla_get_ux-functions.patch
queue-6.9/wifi-mac80211-fix-deadlock-in-ieee80211_sta_ps_deliv.patch