Commit 1fe44a86 authored by Lachlan Hodges's avatar Lachlan Hodges Committed by Johannes Berg
Browse files

wifi: cfg80211: fix S1G beacon head validation in nl80211 



S1G beacons contain fixed length optional fields that precede the
variable length elements, ensure we take this into account when
validating the beacon. This particular case was missed in
1e1f706f ("wifi: cfg80211/mac80211: correctly parse S1G
beacon optional elements").

Fixes: 1d47f119 ("nl80211: correctly validate S1G beacon head")
Signed-off-by: default avatarLachlan Hodges <lachlan.hodges@morsemicro.com>
Link: https://patch.msgid.link/20250626115118.68660-1-lachlan.hodges@morsemicro.com


[shorten/reword subject]
Signed-off-by: default avatarJohannes Berg <johannes.berg@intel.com>
parent e34a79b9

net/wireless/nl80211.c

+5 −2
Original line number Diff line number Diff line
@@ -229,6 +229,7 @@ static int validate_beacon_head(const struct nlattr *attr, 
	unsigned int len = nla_len(attr);

	const struct element *elem;

	const struct ieee80211_mgmt *mgmt = (void *)data;

	const struct ieee80211_ext *ext;

	unsigned int fixedlen, hdrlen;

	bool s1g_bcn;








@@ -237,8 +238,10 @@ static int validate_beacon_head(const struct nlattr *attr,















	s1g_bcn = ieee80211_is_s1g_beacon(mgmt->frame_control);









	if (s1g_bcn) {









		fixedlen = offsetof(struct ieee80211_ext,









				    u.s1g_beacon.variable);









		ext = (struct ieee80211_ext *)mgmt;









		fixedlen =









			offsetof(struct ieee80211_ext, u.s1g_beacon.variable) +









			ieee80211_s1g_optional_len(ext->frame_control);









		hdrlen = offsetof(struct ieee80211_ext, u.s1g_beacon);









	} else {









		fixedlen = offsetof(struct ieee80211_mgmt,