wifi: cfg80211: reject HTC bit for management frames

[ Upstream commit be06a8c7313943109fa870715356503c4c709cbc ] Management frames sent by userspace should never have the order/HTC bit set, reject that. It could also cause some confusion with the length of the buffer and the header so the validation might end up wrong. Link: https://patch.msgid.link/20250718202307.97a0455f0f35.I1805355c7e331352df16611839bc8198c855a33f@changeid Signed-off-by: Johannes Berg <johannes.berg@intel.com> Signed-off-by: Sasha Levin <sashal@kernel.org>
author: Johannes Berg <johannes.berg@intel.com> 2025-07-18 21:23:06 +0300
committer: Greg Kroah-Hartman <gregkh@linuxfoundation.org> 2025-08-20 19:36:02 +0300
commit: 43c9ecab17e8ada5295ba056dc48a10eead3c122 (patch)
tree: a1773e757c93ebc7985019efd3ccfa7f84c14ece
parent: b7c8163e0913efc24d8239147dc57f8d794530af (diff)
download: linux-43c9ecab17e8ada5295ba056dc48a10eead3c122.tar.xz
1 files changed, 2 insertions, 1 deletions
diff --git a/net/wireless/mlme.c b/net/wireless/mlme.c
index 05d44a443518..fd88a32d43d6 100644
--- a/net/wireless/mlme.c
+++ b/net/wireless/mlme.c
@@ -850,7 +850,8 @@ int cfg80211_mlme_mgmt_tx(struct cfg80211_registered_device *rdev,
 
 	mgmt = (const struct ieee80211_mgmt *)params->buf;
 
-	if (!ieee80211_is_mgmt(mgmt->frame_control))
+	if (!ieee80211_is_mgmt(mgmt->frame_control) ||
+	    ieee80211_has_order(mgmt->frame_control))
 		return -EINVAL;
 
 	stype = le16_to_cpu(mgmt->frame_control) & IEEE80211_FCTL_STYPE;
author	Johannes Berg <johannes.berg@intel.com>	2025-07-18 21:23:06 +0300
committer	Greg Kroah-Hartman <gregkh@linuxfoundation.org>	2025-08-20 19:36:02 +0300
commit	43c9ecab17e8ada5295ba056dc48a10eead3c122 (patch)
tree	a1773e757c93ebc7985019efd3ccfa7f84c14ece
parent	b7c8163e0913efc24d8239147dc57f8d794530af (diff)
download	linux-43c9ecab17e8ada5295ba056dc48a10eead3c122.tar.xz