Commit a85b8544 authored Jun 14, 2025 by Johannes Berg

wifi: remove zero-length arrays

All of these are really meant to be variable-length, and
in the case of s1g_beacon it's actually accessed. Make that
one in particular, and a couple of others (that aren't used
as arrays now), actually variable.

Reported-by: <syzbot+fd222bb38e916df26fa4@syzkaller.appspotmail.com>
Fixes: 1e1f706f ("wifi: cfg80211/mac80211: correctly parse S1G beacon optional elements")
Link: https://patch.msgid.link/20250614003037.a3e82e882251.I2e8b58e56ff2a9f8b06c66f036578b7c1d4e4685@changeid

Signed-off-by: Johannes Berg <johannes.berg@intel.com>

parent 27605c8c

include/linux/ieee80211.h

+9 −9

Original line number	Diff line number	Diff line
		@@ -1278,7 +1278,7 @@ struct ieee80211_ext {
		u8 sa[ETH_ALEN];
		__le32 timestamp;
		u8 change_seq;
		u8 variable[0];
		u8 variable[];
		} __packed s1g_beacon;
		} u;
		} __packed __aligned(2);
		@@ -1536,7 +1536,7 @@ struct ieee80211_mgmt {
		u8 action_code;
		u8 dialog_token;
		__le16 capability;
		u8 variable[0];
		u8 variable[];
		} __packed tdls_discover_resp;
		struct {
		u8 action_code;
		@@ -1721,35 +1721,35 @@ struct ieee80211_tdls_data {
		struct {
		u8 dialog_token;
		__le16 capability;
		u8 variable[0];
		u8 variable[];
		} __packed setup_req;
		struct {
		__le16 status_code;
		u8 dialog_token;
		__le16 capability;
		u8 variable[0];
		u8 variable[];
		} __packed setup_resp;
		struct {
		__le16 status_code;
		u8 dialog_token;
		u8 variable[0];
		u8 variable[];
		} __packed setup_cfm;
		struct {
		__le16 reason_code;
		u8 variable[0];
		u8 variable[];
		} __packed teardown;
		struct {
		u8 dialog_token;
		u8 variable[0];
		u8 variable[];
		} __packed discover_req;
		struct {
		u8 target_channel;
		u8 oper_class;
		u8 variable[0];
		u8 variable[];
		} __packed chan_switch_req;
		struct {
		__le16 status_code;
		u8 variable[0];
		u8 variable[];
		} __packed chan_switch_resp;
		} u;
		} __packed;