From e8d4e4fe967d6b4f77e5820dafbe84676eb20b25 Mon Sep 17 00:00:00 2001
From: Jo-Philipp Wich <jo@mein.io>
Date: Thu, 14 Dec 2023 16:30:51 +0100
Subject: [PATCH] nl80211: fix decoding of
 NL80211_BAND_IFTYPE_ATTR_HE_CAP_MCS_SET attribute

- The expected length was incorrect
- An incorrect MCS MAP index was accessed
- The maximum MCS index number were wrong

Signed-off-by: Jo-Philipp Wich <jo@mein.io>
---
 lib/nl80211.c | 8 ++++----
 1 file changed, 4 insertions(+), 4 deletions(-)

diff --git a/lib/nl80211.c b/lib/nl80211.c
index 03d1600b..d7c94b8a 100644
--- a/lib/nl80211.c
+++ b/lib/nl80211.c
@@ -1356,7 +1356,7 @@ uc_nl_convert_rta_he_mcs(const uc_nl_attr_spec_t *spec, struct nl_msg *msg, stru
 {
 	uint8_t bw_support_mask[] = { (1 << 1) | (1 << 2), (1 << 3), (1 << 4) };
 	uc_value_t *mcs_set, *mcs_bw, *mcs_dir, *mcs_entry, *mcs_idx;
-	uint16_t bw[] = { 80, 160, 8080 }, mcs[16];
+	uint16_t bw[] = { 80, 160, 8080 }, mcs[6];
 	uint16_t u16, phy_cap_0 = 0;
 	size_t i, j, k, l, max_idx;
 
@@ -1380,14 +1380,14 @@ uc_nl_convert_rta_he_mcs(const uc_nl_attr_spec_t *spec, struct nl_msg *msg, stru
 			mcs_dir = ucv_array_new_length(vm, 8);
 
 			for (k = 0; k < 8; k++) {
-				u16 = mcs[(i * 2) + k];
+				u16 = mcs[(i * 2) + j];
 				u16 >>= k * 2;
 				u16 &= 0x3;
 
 				switch (u16) {
 				case 0: max_idx = 7; break;
-				case 1: max_idx = 8; break;
-				case 2: max_idx = 9; break;
+				case 1: max_idx = 9; break;
+				case 2: max_idx = 11; break;
 				case 3: continue;
 				}