Commit 162d331d authored Feb 20, 2026 by Ariel Silver Committed by Johannes Berg Feb 23, 2026

wifi: mac80211: bounds-check link_id in ieee80211_ml_reconfiguration



link_id is taken from the ML Reconfiguration element (control & 0x000f),
so it can be 0..15. link_removal_timeout[] has IEEE80211_MLD_MAX_NUM_LINKS
(15) elements, so index 15 is out-of-bounds. Skip subelements with
link_id >= IEEE80211_MLD_MAX_NUM_LINKS to avoid a stack out-of-bounds
write.

Fixes: 8eb8dd2f ("wifi: mac80211: Support link removal using Reconfiguration ML element")
Reported-by: Ariel Silver <arielsilver77@gmail.com>
Signed-off-by: Ariel Silver <arielsilver77@gmail.com>
Cc: stable@vger.kernel.org
Link: https://patch.msgid.link/20260220101129.1202657-1-Ariel.Silver@cybereason.com


Signed-off-by: Johannes Berg <johannes.berg@intel.com>

parent 2259d144

net/mac80211/mlme.c

+3 −0

Original line number	Diff line number	Diff line
		@@ -7085,6 +7085,9 @@ static void ieee80211_ml_reconfiguration(struct ieee80211_sub_if_data *sdata,
		control = le16_to_cpu(prof->control);
		link_id = control & IEEE80211_MLE_STA_RECONF_CONTROL_LINK_ID;

		if (link_id >= IEEE80211_MLD_MAX_NUM_LINKS)
		continue;

		removed_links \|= BIT(link_id);

		/* the MAC address should not be included, but handle it */