wifi: mac80211: check S1G action frame size

Before checking the action code, check that it even
exists in the frame.

Reported-by: syzbot+be9c824e6f269d608288@syzkaller.appspotmail.com
Signed-off-by: Johannes Berg <johannes.berg@intel.com>

diff --git a/net/mac80211/rx.c b/net/mac80211/rx.c
index 4f707d2a160fda5f3bd5507c691008f0f92fcc6e..33f9764b94de2310af69ffd5a113dbd65e664d06 100644 (file)
--- a/net/mac80211/rx.c
+++ b/net/mac80211/rx.c
@@ -3732,6 +3732,10 @@ ieee80211_rx_h_action(struct ieee80211_rx_data *rx)
                        break;
                goto queue;
        case WLAN_CATEGORY_S1G:
+               if (len < offsetofend(typeof(*mgmt),
+                                     u.action.u.s1g.action_code))
+                       break;
+
                switch (mgmt->u.action.u.s1g.action_code) {
                case WLAN_S1G_TWT_SETUP:
                case WLAN_S1G_TWT_TEARDOWN: