From: Alexandru Hossu <hossu.alexandru@gmail.com>
To: security@kernel.org
Cc: linux-wireless@vger.kernel.org, johannes@sipsolutions.net
Subject: [PATCH] wifi: cfg80211: validate common_info length in ieee80211_mle_size_ok()
Date: Fri, 15 May 2026 03:42:04 -0700 (PDT) [thread overview]
Message-ID: <6a06f87c.643c4978.1f1059.84ae@mx.google.com> (raw)
Hi Greg,
Here is the fix.
Alexandru
---
For MLE types with a common_info length field (BASIC, PREQ, TDLS),
ieee80211_mle_size_ok() checks that variable[0] is at least as large as
the mandatory fields, but it does not check that the value fits within
the element itself.
cfg80211_defrag_mle() computes the sub-element area start as:
common_size = ieee80211_mle_common_size((u8 *)res->mle);
ie = res->data + common_size;
ielen = mle_len - common_size;
ieee80211_mle_common_size() returns sizeof(*mle) + mle->variable[0].
If variable[0] is larger than the actual element, common_size exceeds
mle_len and the size_t subtraction wraps. for_each_element_id() then
iterates over arbitrary kernel heap memory past the allocation.
Add the missing upper-bound check so variable[0] cannot exceed the
element size.
Signed-off-by: Alexandru Hossu <hossu.alexandru@gmail.com>
---
include/linux/ieee80211-eht.h | 4 ++++
1 file changed, 4 insertions(+)
diff --git a/include/linux/ieee80211-eht.h b/include/linux/ieee80211-eht.h
index 87d92fb86fab..738a581c3683 100644
--- a/include/linux/ieee80211-eht.h
+++ b/include/linux/ieee80211-eht.h
@@ -908,6 +908,10 @@ static inline bool ieee80211_mle_size_ok(const u8 *data, size_t len)
if (!check_common_len)
return true;
+ /* common_info length must not exceed the element */
+ if (len < fixed + mle->variable[0])
+ return false;
+
/* if present, common length is the first octet there */
return mle->variable[0] >= common;
}
next reply other threads:[~2026-05-15 10:42 UTC|newest]
Thread overview: 3+ messages / expand[flat|nested] mbox.gz Atom feed top
2026-05-15 10:42 Alexandru Hossu [this message]
2026-05-15 11:36 ` [PATCH] wifi: cfg80211: validate common_info length in ieee80211_mle_size_ok() Greg KH
2026-05-15 12:57 ` Alexandru Hossu
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=6a06f87c.643c4978.1f1059.84ae@mx.google.com \
--to=hossu.alexandru@gmail.com \
--cc=johannes@sipsolutions.net \
--cc=linux-wireless@vger.kernel.org \
--cc=security@kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.