6f08515db7e70a29ef23732c29038524409b4513 - third_party/linux

commit: 6f08515db7e70a29ef23732c29038524409b4513
[log]
author: Ariel Silver <arielsilver77@gmail.com>
Fri Feb 20 10:11:29 2026 +0000
committer: Chromeos LUCI <chromeos-scoped@luci-project-accounts.iam.gserviceaccount.com>
Sat Mar 21 14:17:58 2026 -0700
tree: a0d75c6059529d4b64a346dc4ba4b92e6c281f4e
parent: 8acd10ea69753b6ab2008ad64011d52715542e60 [diff]

CHROMIUM: iwl7000: mac80211: bounds-check link_id in ieee80211_ml_reconfiguration

link_id is taken from the ML Reconfiguration element (control & 0x000f),
so it can be 0..15. link_removal_timeout[] has IEEE80211_MLD_MAX_NUM_LINKS
(15) elements, so index 15 is out-of-bounds. Skip subelements with
link_id >= IEEE80211_MLD_MAX_NUM_LINKS to avoid a stack out-of-bounds
write.

BUG=b:494174686
TEST=wifi_matfunc,wifi_perf

Change-Id: I162d331d833dc73a3e905a24c44dd33732af1fc5
Fixes: 8eb8dd2ffbbb ("wifi: mac80211: Support link removal using Reconfiguration ML element")
Reported-by: Ariel Silver <arielsilver77@gmail.com>
Signed-off-by: Ariel Silver <arielsilver77@gmail.com>
Cc: stable@vger.kernel.org
Link: https://patch.msgid.link/20260220101129.1202657-1-Ariel.Silver@cybereason.com
Signed-off-by: Johannes Berg <johannes.berg@intel.com>
iwl7000-tree: 089e612af1308090e9c50ae78dc9bc0dd2a44f69
Signed-off-by: Miri Korenblit <miriam.rachel.korenblit@intel.com>
Reviewed-on: https://chromium-review.googlesource.com/c/chromiumos/third_party/kernel/+/7676757
Reviewed-by: David Ruth <druth@chromium.org>
Commit-Queue: David Ruth <druth@chromium.org>
Tested-by: Guy Damary <guy.damary@intel.corp-partner.google.com>
Tested-by: Miriam Rachel Korenblit <miriam.rachel.korenblit@intel.corp-partner.google.com>
Reviewed-by: Guy Damary <guy.damary@intel.corp-partner.google.com>
Reviewed-by: Tzung-Bi Shih <tzungbi@chromium.org>

drivers/net/wireless/iwl7000/mac80211/mlme.c[diff]

1 file changed

tree: a0d75c6059529d4b64a346dc4ba4b92e6c281f4e