Description
In the Linux kernel, the following vulnerability has been resolved: wifi: mac80211: bounds-check link_id in ieee80211_ml_reconfiguration link_id is taken from the ML Reconfiguration element (control & 0x000f), so it can be 0..15. link_removal_timeout[] has IEEE80211_MLD_MAX_NUM_LINKS (15) elements, so index 15 is out-of-bounds. Skip subelements with link_id >= IEEE80211_MLD_MAX_NUM_LINKS to avoid a stack out-of-bounds write.
Product status
8eb8dd2ffbbb6b0b8843b66754ee9f129f1b2d6c (git) before 650981e718e68005ca2760a6358134b8a98ebea4
8eb8dd2ffbbb6b0b8843b66754ee9f129f1b2d6c (git) before bfde158d5d1322c0c2df398a8d1ccce04943be2e
8eb8dd2ffbbb6b0b8843b66754ee9f129f1b2d6c (git) before f35ceec54d48e227fa46f8f97fd100a77b8eab15
8eb8dd2ffbbb6b0b8843b66754ee9f129f1b2d6c (git) before d58d71c2167601762351962b9604808d3be94400
8eb8dd2ffbbb6b0b8843b66754ee9f129f1b2d6c (git) before 162d331d833dc73a3e905a24c44dd33732af1fc5
6.5
Any version before 6.5
6.6.130 (semver)
6.12.77 (semver)
6.18.17 (semver)
6.19.7 (semver)
7.0 (original_commit_for_fix)
References
git.kernel.org/...c/650981e718e68005ca2760a6358134b8a98ebea4
git.kernel.org/...c/bfde158d5d1322c0c2df398a8d1ccce04943be2e
git.kernel.org/...c/f35ceec54d48e227fa46f8f97fd100a77b8eab15
git.kernel.org/...c/d58d71c2167601762351962b9604808d3be94400
git.kernel.org/...c/162d331d833dc73a3e905a24c44dd33732af1fc5