CHROMIUM: iwl7000: mac80211: bounds-check link_id in ieee80211_ml_reconfiguration link_id is taken from the ML Reconfiguration element (control & 0x000f), so it can be 0..15. link_removal_timeout[] has IEEE80211_MLD_MAX_NUM_LINKS (15) elements, so index 15 is out-of-bounds. Skip subelements with link_id >= IEEE80211_MLD_MAX_NUM_LINKS to avoid a stack out-of-bounds write. BUG=b:494174686 TEST=wifi_matfunc,wifi_perf Change-Id: I162d331d833dc73a3e905a24c44dd33732af1fc5 Fixes: 8eb8dd2ffbbb ("wifi: mac80211: Support link removal using Reconfiguration ML element") Reported-by: Ariel Silver <[email protected]> Signed-off-by: Ariel Silver <[email protected]> Cc: [email protected] Link: https://patch.msgid.link/[email protected] Signed-off-by: Johannes Berg <[email protected]> iwl7000-tree: 089e612af1308090e9c50ae78dc9bc0dd2a44f69 Signed-off-by: Miri Korenblit <[email protected]> Reviewed-on: https://chromium-review.googlesource.com/c/chromiumos/third_party/kernel/+/7676758 Reviewed-by: Guy Damary <[email protected]> Commit-Queue: David Ruth <[email protected]> Reviewed-by: Tzung-Bi Shih <[email protected]> Reviewed-by: David Ruth <[email protected]> Tested-by: Miriam Rachel Korenblit <[email protected]> Tested-by: Guy Damary <[email protected]>