wifi: mac80211: check S1G action frame size

Before checking the action code, check that it even exists in the frame. Reported-by: syzbot+be9c824e6f269d608288@syzkaller.appspotmail.com Signed-off-by: Johannes Berg <johannes.berg@intel.com>

wifi: mac80211: check S1G action frame size
Before checking the action code, check that it even exists in the frame. Reported-by: syzbot+be9c824e6f269d608288@syzkaller.appspotmail.com Signed-off-by: Johannes Berg <johannes.berg@intel.com>
19e4a47e · Johannes Berg · 6d2c360b · 19e4a47e
Commit 19e4a47e authored Aug 15, 2023 by Johannes Berg
Hide whitespace changes
Inline Side-by-side

Showing with 4 additions and 0 deletions

net/mac80211/rx.c net/mac80211/rx.c +4 -0

No files found.
--- a/net/mac80211/rx.c
+++ b/net/mac80211/rx.c
@@ -3732,6 +3732,10 @@ ieee80211_rx_h_action(struct ieee80211_rx_data *rx)
 			break;
 		goto queue;
 	case WLAN_CATEGORY_S1G:
+		if (len < offsetofend(typeof(*mgmt),
+				      u.action.u.s1g.action_code))
+			break;
+
 		switch (mgmt->u.action.u.s1g.action_code) {
 		case WLAN_S1G_TWT_SETUP:
 		case WLAN_S1G_TWT_TEARDOWN: