Merge branch 'cve-fixes-2022-10-13'

Pull in the fixes for various scan parsing bugs found by Sönke Huster by fuzzing.
author: Johannes Berg <johannes.berg@intel.com> 2022-10-13 11:59:16 +0200
committer: Johannes Berg <johannes.berg@intel.com> 2022-10-13 11:59:56 +0200
commit: e7ad651c31c5e1289323e6c680be6e582a593b26 (patch)
tree: 7170b192203a8fafc16ccee7ce79d475d8df0272 /drivers/net/wireless
parent: abf93f369419249ca482a8911039fe1c75a94227 (diff)
parent: c90b93b5b782891ebfda49d4e5da36632fefd5d1 (diff)
1 files changed, 2 insertions, 0 deletions
diff --git a/drivers/net/wireless/mac80211_hwsim.c b/drivers/net/wireless/mac80211_hwsim.c
index df51b5b1f171..a40636c90ec3 100644
--- a/drivers/net/wireless/mac80211_hwsim.c
+++ b/drivers/net/wireless/mac80211_hwsim.c
@@ -4973,6 +4973,8 @@ static int hwsim_cloned_frame_received_nl(struct sk_buff *skb_2,
 	}
 
 	rx_status.rate_idx = nla_get_u32(info->attrs[HWSIM_ATTR_RX_RATE]);
+	if (rx_status.rate_idx >= data2->hw->wiphy->bands[rx_status.band]->n_bitrates)
+		goto out;
 	rx_status.signal = nla_get_u32(info->attrs[HWSIM_ATTR_SIGNAL]);
 
 	hdr = (void *)skb->data;
author	Johannes Berg <johannes.berg@intel.com>	2022-10-13 11:59:16 +0200
committer	Johannes Berg <johannes.berg@intel.com>	2022-10-13 11:59:56 +0200
commit	e7ad651c31c5e1289323e6c680be6e582a593b26 (patch)
tree	7170b192203a8fafc16ccee7ce79d475d8df0272 /drivers/net/wireless
parent	abf93f369419249ca482a8911039fe1c75a94227 (diff)
parent	c90b93b5b782891ebfda49d4e5da36632fefd5d1 (diff)