1 files changed, 0 insertions, 41 deletions

diff --git a/package/kernel/mac80211/patches/subsys/354-wifi-cfg80211-ensure-length-byte-is-present-before-a.patch b/package/kernel/mac80211/patches/subsys/354-wifi-cfg80211-ensure-length-byte-is-present-before-a.patch
deleted file mode 100644
index da94840dac..0000000000
--- a/package/kernel/mac80211/patches/subsys/354-wifi-cfg80211-ensure-length-byte-is-present-before-a.patch
+++ /dev/null
@@ -1,41 +0,0 @@
-From: Johannes Berg <johannes.berg@intel.com>
-Date: Thu, 29 Sep 2022 21:50:44 +0200
-Subject: [PATCH] wifi: cfg80211: ensure length byte is present before
- access
-
-commit 567e14e39e8f8c6997a1378bc3be615afca86063 upstream.
-
-When iterating the elements here, ensure the length byte is
-present before checking it to see if the entire element will
-fit into the buffer.
-
-Longer term, we should rewrite this code using the type-safe
-element iteration macros that check all of this.
-
-Fixes: 0b8fb8235be8 ("cfg80211: Parsing of Multiple BSSID information in scanning")
-Reported-by: Soenke Huster <shuster@seemoo.tu-darmstadt.de>
-Signed-off-by: Johannes Berg <johannes.berg@intel.com>
----
-
---- a/net/wireless/scan.c
-+++ b/net/wireless/scan.c
-@@ -304,7 +304,8 @@ static size_t cfg80211_gen_new_ie(const
- 	tmp_old = cfg80211_find_ie(WLAN_EID_SSID, ie, ielen);
- 	tmp_old = (tmp_old) ? tmp_old + tmp_old[1] + 2 : ie;
- 
--	while (tmp_old + tmp_old[1] + 2 - ie <= ielen) {
-+	while (tmp_old + 2 - ie <= ielen &&
-+	       tmp_old + tmp_old[1] + 2 - ie <= ielen) {
- 		if (tmp_old[0] == 0) {
- 			tmp_old++;
- 			continue;
-@@ -364,7 +365,8 @@ static size_t cfg80211_gen_new_ie(const
- 	 * copied to new ie, skip ssid, capability, bssid-index ie
- 	 */
- 	tmp_new = sub_copy;
--	while (tmp_new + tmp_new[1] + 2 - sub_copy <= subie_len) {
-+	while (tmp_new + 2 - sub_copy <= subie_len &&
-+	       tmp_new + tmp_new[1] + 2 - sub_copy <= subie_len) {
- 		if (!(tmp_new[0] == WLAN_EID_NON_TX_BSSID_CAP ||
- 		      tmp_new[0] == WLAN_EID_SSID)) {
- 			memcpy(pos, tmp_new, tmp_new[1] + 2);