From dec626109eaebbcc2c59d0fa51d2c5562444fa16 Mon Sep 17 00:00:00 2001 From: Jouni Malinen Date: Thu, 3 Mar 2022 01:24:02 +0200 Subject: [PATCH] HE: Fix invalid length checking for HE Capability element Do not use the first octet of the PPE Thresholds field without explicitly confirming that that octet was included in the element. Furthermore, allow the received element to have additional octets in the end since IEEE Std 802.11ax-2021 defines this to be an extensible element and new fields could be added to the end of it in the future. Fixes: 0497e4148197 ("HE: Fix HE Capabilities element size") Signed-off-by: Jouni Malinen --- src/ap/ieee802_11_he.c | 7 +++++-- 1 file changed, 5 insertions(+), 2 deletions(-) diff --git a/src/ap/ieee802_11_he.c b/src/ap/ieee802_11_he.c index 6e368ff33..5042286c2 100644 --- a/src/ap/ieee802_11_he.c +++ b/src/ap/ieee802_11_he.c @@ -66,6 +66,7 @@ static int ieee80211_invalid_he_cap_size(const u8 *buf, size_t len) { struct ieee80211_he_capabilities *cap; size_t cap_len; + u8 ppe_thres_hdr; cap = (struct ieee80211_he_capabilities *) buf; cap_len = sizeof(*cap) - sizeof(cap->optional); @@ -76,9 +77,11 @@ static int ieee80211_invalid_he_cap_size(const u8 *buf, size_t len) if (len < cap_len) return 1; - cap_len += ieee80211_he_ppet_size(buf[cap_len], cap->he_phy_capab_info); + ppe_thres_hdr = len > cap_len ? buf[cap_len] : 0xff; + cap_len += ieee80211_he_ppet_size(ppe_thres_hdr, + cap->he_phy_capab_info); - return len != cap_len; + return len < cap_len; }