From: Zhao Li <enderaoelyther@gmail.com>
To: Johannes Berg <johannes.berg@intel.com>
Cc: linux-wireless@vger.kernel.org, linux-kernel@vger.kernel.org,
Zhao Li <enderaoelyther@gmail.com>,
stable@vger.kernel.org
Subject: [PATCH] wifi: ieee80211: validate MLE common info length
Date: Wed, 10 Jun 2026 23:43:03 +0800 [thread overview]
Message-ID: <20260610154303.37079-1-enderaoelyther@gmail.com> (raw)
ieee80211_mle_size_ok() verifies that the advertised common information
length is large enough for the fixed fields that are present, but it does
not verify that the length also fits in the containing element.
Reconfiguration and Priority Access MLEs also carry a common information
length octet, but currently skip the common-length check. Reconfiguration
additionally fails to include the length octet in the minimum common size.
Validate the common information length for Reconfiguration and Priority
Access MLEs, account for the Reconfiguration length octet, and reject
common lengths that exceed the element body.
Fixes: 0f48b8b88aa9 ("wifi: ieee80211: add definitions for multi-link element")
Cc: stable@vger.kernel.org
Signed-off-by: Zhao Li <enderaoelyther@gmail.com>
---
include/linux/ieee80211-eht.h | 5 ++++-
1 file changed, 4 insertions(+), 1 deletion(-)
diff --git a/include/linux/ieee80211-eht.h b/include/linux/ieee80211-eht.h
index a97b1d01f3acf..d875045abf6cc 100644
--- a/include/linux/ieee80211-eht.h
+++ b/include/linux/ieee80211-eht.h
@@ -878,6 +878,8 @@ static inline bool ieee80211_mle_size_ok(const u8 *data, size_t len)
check_common_len = true;
break;
case IEEE80211_ML_CONTROL_TYPE_RECONF:
+ common += 1;
+ check_common_len = true;
if (control & IEEE80211_MLC_RECONF_PRES_MLD_MAC_ADDR)
common += ETH_ALEN;
if (control & IEEE80211_MLC_RECONF_PRES_EML_CAPA)
@@ -893,6 +895,7 @@ static inline bool ieee80211_mle_size_ok(const u8 *data, size_t len)
break;
case IEEE80211_ML_CONTROL_TYPE_PRIO_ACCESS:
common = ETH_ALEN + 1;
+ check_common_len = true;
break;
default:
/* we don't know this type */
@@ -906,7 +909,7 @@ static inline bool ieee80211_mle_size_ok(const u8 *data, size_t len)
return true;
/* if present, common length is the first octet there */
- return mle->variable[0] >= common;
+ return mle->variable[0] >= common && mle->variable[0] <= len - fixed;
}
/**
--
2.50.1 (Apple Git-155)
next reply other threads:[~2026-06-10 15:43 UTC|newest]
Thread overview: 2+ messages / expand[flat|nested] mbox.gz Atom feed top
2026-06-10 15:43 Zhao Li [this message]
2026-06-11 12:14 ` [PATCH] wifi: ieee80211: validate MLE common info length Johannes Berg
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20260610154303.37079-1-enderaoelyther@gmail.com \
--to=enderaoelyther@gmail.com \
--cc=johannes.berg@intel.com \
--cc=linux-kernel@vger.kernel.org \
--cc=linux-wireless@vger.kernel.org \
--cc=stable@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox