wifi: cfg80211: fix off-by-one in element defrag

If a fragment is the last element, it's erroneously not
accepted. Fix that.

Fixes: f837a653a097 ("wifi: cfg80211: add element defragmentation helper")
Signed-off-by: Johannes Berg <johannes.berg@intel.com>
Signed-off-by: Gregory Greenman <gregory.greenman@intel.com>
Link: https://lore.kernel.org/r/20230827135854.adca9fbd3317.I6b2df45eb71513f3e48efd196ae3cddec362dc1c@changeid
Signed-off-by: Johannes Berg <johannes.berg@intel.com>

diff --git a/net/wireless/scan.c b/net/wireless/scan.c
index 0cf1ce7b6934238626a9f3173e74af89ee0822cb..19516073c6d5c7a790a04b0c193d71593a208150 100644 (file)
--- a/net/wireless/scan.c
+++ b/net/wireless/scan.c
@@ -2354,8 +2354,8 @@ ssize_t cfg80211_defragment_element(const struct element *elem, const u8 *ies,
 
        /* elem might be invalid after the memmove */
        next = (void *)(elem->data + elem->datalen);
-
        elem_datalen = elem->datalen;
+
        if (elem->id == WLAN_EID_EXTENSION) {
                copied = elem->datalen - 1;
                if (copied > data_len)
@@ -2376,7 +2376,7 @@ ssize_t cfg80211_defragment_element(const struct element *elem, const u8 *ies,
 
        for (elem = next;
             elem->data < ies + ieslen &&
-               elem->data + elem->datalen < ies + ieslen;
+               elem->data + elem->datalen <= ies + ieslen;
             elem = next) {
                /* elem might be invalid after the memmove */
                next = (void *)(elem->data + elem->datalen);