From: Johannes Berg The HE operation element not only needs to be longer than the fixed part, but also have an appropriate size for the variable part inside of it. Check this. Signed-off-by: Johannes Berg --- net/wireless/nl80211.c | 6 +++++- 1 file changed, 5 insertions(+), 1 deletion(-) diff --git a/net/wireless/nl80211.c b/net/wireless/nl80211.c index 18fbe6c78e82..7a1c9faef443 100644 --- a/net/wireless/nl80211.c +++ b/net/wireless/nl80211.c @@ -6673,8 +6673,12 @@ static int nl80211_calculate_ap_params(struct cfg80211_ap_settings *params) if (cap && cap->datalen >= sizeof(*params->he_cap) + 1) params->he_cap = (void *)(cap->data + 1); cap = cfg80211_find_ext_elem(WLAN_EID_EXT_HE_OPERATION, ies, ies_len); - if (cap && cap->datalen >= sizeof(*params->he_oper) + 1) + if (cap && cap->datalen >= sizeof(*params->he_oper) + 1) { params->he_oper = (void *)(cap->data + 1); + /* takes extension ID into account */ + if (cap->datalen < ieee80211_he_oper_size((void *)params->he_oper)) + return -EINVAL; + } cap = cfg80211_find_ext_elem(WLAN_EID_EXT_EHT_CAPABILITY, ies, ies_len); if (cap) { if (!cap->datalen) -- 2.53.0