nl80211: correctly validate MU-MIMO groups

Since groups 0 and 63 are invalid, we should check for those bits.
Note that the 802.11 spec specifies the *bit* order, but the CPU
doesn't care about bit order since it can't address bits, so it's
always treating BIT(0) as the lowest bit within a byte.

Reported-by: Jan Fuchs <jan.fuchs@lancom.de>
Signed-off-by: Johannes Berg <johannes.berg@intel.com>

diff --git a/net/wireless/nl80211.c b/net/wireless/nl80211.c
index 570fc95dc507d8ee08a329e6b313b517fd78ce83..c3bc9da30cff997970dc2cf8aebd05c4795c3cf9 100644 (file)
--- a/net/wireless/nl80211.c
+++ b/net/wireless/nl80211.c
@@ -2764,8 +2764,8 @@ static int nl80211_parse_mon_options(struct cfg80211_registered_device *rdev,
                        nla_data(info->attrs[NL80211_ATTR_MU_MIMO_GROUP_DATA]);
 
                /* bits 0 and 63 are reserved and must be zero */
-               if ((mumimo_groups[0] & BIT(7)) ||
-                   (mumimo_groups[VHT_MUMIMO_GROUPS_DATA_LEN - 1] & BIT(0)))
+               if ((mumimo_groups[0] & BIT(0)) ||
+                   (mumimo_groups[VHT_MUMIMO_GROUPS_DATA_LEN - 1] & BIT(7)))
                        return -EINVAL;
 
                params->vht_mumimo_groups = mumimo_groups;