Skip to content

Commit

Permalink
wifi: mac80211: check S1G action frame size
Browse files Browse the repository at this point in the history 
[ Upstream commit 19e4a47 ]

Before checking the action code, check that it even
exists in the frame.

Reported-by: syzbot+be9c824e6f269d608288@syzkaller.appspotmail.com
Signed-off-by: Johannes Berg <johannes.berg@intel.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
  • Loading branch information
@jmberg-intel @gregkh
jmberg-intel authored and gregkh committed Sep 23, 2023
1 parent b39c24e commit 5e030a2
Showing 1 changed file with 4 additions and 0 deletions.
4 changes: 4 additions & 0 deletions net/mac80211/rx.c
View file
Expand Up @@ -3734,6 +3734,10 @@ ieee80211_rx_h_action(struct ieee80211_rx_data *rx)
break;
goto queue;
case WLAN_CATEGORY_S1G:
if (len < offsetofend(typeof(*mgmt),
u.action.u.s1g.action_code))
break;

switch (mgmt->u.action.u.s1g.action_code) {
case WLAN_S1G_TWT_SETUP:
case WLAN_S1G_TWT_TEARDOWN:
Expand Down

0 comments on commit 5e030a2

Please sign in to comment.