diff options
| author |   Johannes Berg <johannes.berg@intel.com> | 2026-05-08 09:10:31 +0200 |
|---|---|---|
| committer | Johannes Berg <johannes.berg@intel.com> | 2026-05-20 11:19:52 +0200 |
| commit | a74e893f30db64cdce0fc7a96d3baa417bcd55f5 (patch) | |
| tree | 5148406a0ecfb04c543d6a3fd4397c55fb6dad2a /tools/testing | |
| parent | wifi: mac80211: don't override max_amsdu_subframes (diff) | |
wifi: mac80211: fix MLE defragmentation
If either reconf or EPCS multi-link element (MLE) is contained in
a non-transmitted profile, the defragmentation routine is called
with a pointer to the defragmented copy, but the original elements.
This is incorrect for two reasons:
- if the original defragmentation was needed, it will not find the
correct data
- if the original frame is at a higher address, the parsing will
potentially overrun the heap data (though given the layout of
the buffers, only into the new defragmentation buffer, and then
it has to stop and fail once that's filled with copied data.
Fix it by tracking the container along with the pointer and in
doing so also unify the two almost identical defragmentation
routines.
Fixes: 4d70e9c5488d ("wifi: mac80211: defragment reconfiguration MLE when parsing")
Reviewed-by: Miriam Rachel Korenblit <miriam.rachel.korenblit@intel.com>
Reviewed-by: Ilan Peer <ilan.peer@intel.com>
Link: https://patch.msgid.link/20260508091031.8a6c34613178.I4de16ebbce2d27f2f8f98fc49949c7a376c2fe8d@changeid
Signed-off-by: Johannes Berg <johannes.berg@intel.com>
Diffstat (limited to 'tools/testing')
0 files changed, 0 insertions, 0 deletions