[PATCH 4.19 40/56] mac80211: validate extended element ID is present
From: Greg Kroah-Hartman
Date: Mon Dec 20 2021 - 09:47:44 EST
From: Johannes Berg <johannes.berg@xxxxxxxxx>
commit 768c0b19b50665e337c96858aa2b7928d6dcf756 upstream.
Before attempting to parse an extended element, verify that
the extended element ID is present.
Fixes: 41cbb0f5a295 ("mac80211: add support for HE")
Reported-by: syzbot+59bdff68edce82e393b6@xxxxxxxxxxxxxxxxxxxxxxxxx
Link: https://lore.kernel.org/r/20211211201023.f30a1b128c07.I5cacc176da94ba316877c6e10fe3ceec8b4dbd7d@changeid
Cc: stable@xxxxxxxxxxxxxxx
Signed-off-by: Johannes Berg <johannes.berg@xxxxxxxxx>
Signed-off-by: Greg Kroah-Hartman <gregkh@xxxxxxxxxxxxxxxxxxx>
---
net/mac80211/util.c | 2 ++
1 file changed, 2 insertions(+)
--- a/net/mac80211/util.c
+++ b/net/mac80211/util.c
@@ -1102,6 +1102,8 @@ u32 ieee802_11_parse_elems_crc(const u8
elems->max_idle_period_ie = (void *)pos;
break;
case WLAN_EID_EXTENSION:
+ if (!elen)
+ break;
if (pos[0] == WLAN_EID_EXT_HE_MU_EDCA &&
elen >= (sizeof(*elems->mu_edca_param_set) + 1)) {
elems->mu_edca_param_set = (void *)&pos[1];