In the Linux kernel, the following vulnerability has been resolved:

wifi: nl80211: fix NL80211ATTRMLOLINKID off-by-one

Since the netlink attribute range validation provides inclusive checking, the max of attribute NL80211ATTRMLOLINKID should be IEEE80211MLDMAXNUMLINKS - 1 otherwise causing an off-by-one.

One crash stack for demonstration:

BUG: KASAN: wild-memory-access in ieee80211txcontrol_port+0x3b6/0xca0 net/mac80211/tx.c:5939 Read of size 6 at addr 001102080000000c by task fuzzer.386/9508

CPU: 1 PID: 9508 Comm: syz.1.386 Not tainted 6.1.70 #2 Call Trace: <TASK> __dumpstack lib/dumpstack.c:88 [inline] dumpstacklvl+0x177/0x231 lib/dumpstack.c:106 printreport+0xe0/0x750 mm/kasan/report.c:398 kasanreport+0x139/0x170 mm/kasan/report.c:495 kasancheckrange+0x287/0x290 mm/kasan/generic.c:189 memcpy+0x25/0x60 mm/kasan/shadow.c:65 ieee80211txcontrolport+0x3b6/0xca0 net/mac80211/tx.c:5939 rdevtxcontrolport net/wireless/rdev-ops.h:761 [inline] nl80211txcontrolport+0x7b3/0xc40 net/wireless/nl80211.c:15453 genlfamilyrcvmsgdoit+0x22e/0x320 net/netlink/genetlink.c:756 genlfamilyrcvmsg net/netlink/genetlink.c:833 [inline] genlrcvmsg+0x539/0x740 net/netlink/genetlink.c:850 netlinkrcvskb+0x1de/0x420 net/netlink/afnetlink.c:2508 genlrcv+0x24/0x40 net/netlink/genetlink.c:861 netlinkunicastkernel net/netlink/afnetlink.c:1326 [inline] netlinkunicast+0x74b/0x8c0 net/netlink/afnetlink.c:1352 netlinksendmsg+0x882/0xb90 net/netlink/afnetlink.c:1874 socksendmsgnosec net/socket.c:716 [inline] __sock_sendmsg net/socket.c:728 [inline] ____sys_sendmsg+0x5cc/0x8f0 net/socket.c:2499 ___sys_sendmsg+0x21c/0x290 net/socket.c:2553 __sys_sendmsg net/socket.c:2582 [inline] __dosyssendmsg net/socket.c:2591 [inline] __sesyssendmsg+0x19e/0x270 net/socket.c:2589 dosyscallx64 arch/x86/entry/common.c:51 [inline] dosyscall64+0x45/0x90 arch/x86/entry/common.c:81 entrySYSCALL64afterhwframe+0x63/0xcd

Update the policy to ensure correct validation.