[PATCH] wifi: ieee80211: validate MLE common info length

Linux wireless drivers development
 help / color / mirror / Atom feed

* [PATCH] wifi: ieee80211: validate MLE common info length
@ 2026-06-10 15:43 Zhao Li
  2026-06-11 12:14 ` Johannes Berg
  0 siblings, 1 reply; 2+ messages in thread
From: Zhao Li @ 2026-06-10 15:43 UTC (permalink / raw)
  To: Johannes Berg; +Cc: linux-wireless, linux-kernel, Zhao Li, stable

ieee80211_mle_size_ok() verifies that the advertised common information
length is large enough for the fixed fields that are present, but it does
not verify that the length also fits in the containing element.

Reconfiguration and Priority Access MLEs also carry a common information
length octet, but currently skip the common-length check. Reconfiguration
additionally fails to include the length octet in the minimum common size.

Validate the common information length for Reconfiguration and Priority
Access MLEs, account for the Reconfiguration length octet, and reject
common lengths that exceed the element body.

Fixes: 0f48b8b88aa9 ("wifi: ieee80211: add definitions for multi-link element")
Cc: stable@vger.kernel.org
Signed-off-by: Zhao Li <enderaoelyther@gmail.com>
---
 include/linux/ieee80211-eht.h | 5 ++++-
 1 file changed, 4 insertions(+), 1 deletion(-)

diff --git a/include/linux/ieee80211-eht.h b/include/linux/ieee80211-eht.h
index a97b1d01f3acf..d875045abf6cc 100644
--- a/include/linux/ieee80211-eht.h
+++ b/include/linux/ieee80211-eht.h
@@ -878,6 +878,8 @@ static inline bool ieee80211_mle_size_ok(const u8 *data, size_t len)
 		check_common_len = true;
 		break;
 	case IEEE80211_ML_CONTROL_TYPE_RECONF:
+		common += 1;
+		check_common_len = true;
 		if (control & IEEE80211_MLC_RECONF_PRES_MLD_MAC_ADDR)
 			common += ETH_ALEN;
 		if (control & IEEE80211_MLC_RECONF_PRES_EML_CAPA)
@@ -893,6 +895,7 @@ static inline bool ieee80211_mle_size_ok(const u8 *data, size_t len)
 		break;
 	case IEEE80211_ML_CONTROL_TYPE_PRIO_ACCESS:
 		common = ETH_ALEN + 1;
+		check_common_len = true;
 		break;
 	default:
 		/* we don't know this type */
@@ -906,7 +909,7 @@ static inline bool ieee80211_mle_size_ok(const u8 *data, size_t len)
 		return true;
 
 	/* if present, common length is the first octet there */
-	return mle->variable[0] >= common;
+	return mle->variable[0] >= common && mle->variable[0] <= len - fixed;
 }
 
 /**
-- 
2.50.1 (Apple Git-155)


^ permalink raw reply related	[flat|nested] 2+ messages in thread

* Re: [PATCH] wifi: ieee80211: validate MLE common info length
  2026-06-10 15:43 [PATCH] wifi: ieee80211: validate MLE common info length Zhao Li
@ 2026-06-11 12:14 ` Johannes Berg
  0 siblings, 0 replies; 2+ messages in thread
From: Johannes Berg @ 2026-06-11 12:14 UTC (permalink / raw)
  To: Zhao Li; +Cc: linux-wireless, linux-kernel, stable

On Wed, 2026-06-10 at 23:43 +0800, Zhao Li wrote:
> ieee80211_mle_size_ok() verifies that the advertised common information
> length is large enough for the fixed fields that are present, but it does
> not verify that the length also fits in the containing element.
> 
> Reconfiguration and Priority Access MLEs also carry a common information
> length octet, but currently skip the common-length check. Reconfiguration
> additionally fails to include the length octet in the minimum common size.
> 
> Validate the common information length for Reconfiguration and Priority
> Access MLEs, account for the Reconfiguration length octet, and reject
> common lengths that exceed the element body.
> 
> Fixes: 0f48b8b88aa9 ("wifi: ieee80211: add definitions for multi-link element")
> Cc: stable@vger.kernel.org
> Signed-off-by: Zhao Li <enderaoelyther@gmail.com>
> ---
>  include/linux/ieee80211-eht.h | 5 ++++-
>  1 file changed, 4 insertions(+), 1 deletion(-)
> 
> diff --git a/include/linux/ieee80211-eht.h b/include/linux/ieee80211-eht.h
> index a97b1d01f3acf..d875045abf6cc 100644
> --- a/include/linux/ieee80211-eht.h
> +++ b/include/linux/ieee80211-eht.h
> @@ -878,6 +878,8 @@ static inline bool ieee80211_mle_size_ok(const u8 *data, size_t len)
>  		check_common_len = true;
>  		break;
>  	case IEEE80211_ML_CONTROL_TYPE_RECONF:
> +		common += 1;
> +		check_common_len = true;
>  		if (control & IEEE80211_MLC_RECONF_PRES_MLD_MAC_ADDR)
>  			common += ETH_ALEN;
>  		if (control & IEEE80211_MLC_RECONF_PRES_EML_CAPA)
> @@ -893,6 +895,7 @@ static inline bool ieee80211_mle_size_ok(const u8 *data, size_t len)
>  		break;
>  	case IEEE80211_ML_CONTROL_TYPE_PRIO_ACCESS:
>  		common = ETH_ALEN + 1;
> +		check_common_len = true;
>  		break;

You just made check_common_len redundant, it's now always true.

I originally introduced it because variable[0] wasn't always common_len,
but that actually got fixed in later drafts, and we should've adjusted
that when we added +1 to all of these, e.g. commit 19aa842dcbb58.

We should probably more comprehensively change the whole thing so that
common_info_len is a separate u8 rather than variable[0], but that's
going to be much harder to do.

A smaller but probably better change would be to use the sub-structs
here that are defined, e.g. struct ieee80211_mle_preq_common_info,
struct ieee80211_mle_tdls_common_info and struct
ieee80211_mle_basic_common_info. But the layout is a bit stupid even
that way, dunno.

johannes

^ permalink raw reply	[flat|nested] 2+ messages in thread

end of thread, other threads:[~2026-06-11 12:14 UTC | newest]

Thread overview: 2+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2026-06-10 15:43 [PATCH] wifi: ieee80211: validate MLE common info length Zhao Li
2026-06-11 12:14 ` Johannes Berg

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox