On Fri, Dec 17, 2021 at 09:37:06PM +0100, Johannes Berg wrote:
> From: Johannes Berg <johannes.berg@xxxxxxxxx>
>
> Commit 768c0b19b50665e337c96858aa2b7928d6dcf756 upstream.
>
> Before attempting to parse an extended element, verify that
> the extended element ID is present.
>
> Fixes: 41cbb0f5a295 ("mac80211: add support for HE")
> Reported-by: syzbot+59bdff68edce82e393b6@xxxxxxxxxxxxxxxxxxxxxxxxx
> Link: https://lore.kernel.org/r/20211211201023.f30a1b128c07.I5cacc176da94ba316877c6e10fe3ceec8b4dbd7d@changeid
> Cc: stable@xxxxxxxxxxxxxxx
> Signed-off-by: Johannes Berg <johannes.berg@xxxxxxxxx>
> ---
> net/mac80211/util.c | 2 ++
> 1 file changed, 2 insertions(+)
>
> diff --git a/net/mac80211/util.c b/net/mac80211/util.c
> index decd46b38393..c1c117fdf318 100644
> --- a/net/mac80211/util.c
> +++ b/net/mac80211/util.c
> @@ -1227,6 +1227,8 @@ _ieee802_11_parse_elems_crc(const u8 *start, size_t len, bool action,
> elems->max_idle_period_ie = (void *)pos;
> break;
> case WLAN_EID_EXTENSION:
> + if (!elen)
> + break;
> if (pos[0] == WLAN_EID_EXT_HE_MU_EDCA &&
> elen >= (sizeof(*elems->mu_edca_param_set) + 1)) {
> elems->mu_edca_param_set = (void *)&pos[1];
> --
> 2.33.1
>
Now queued up, thanks.
greg k-h
