From 68c9e874a5978e6ddd79e0c7b9479d85444a859c Mon Sep 17 00:00:00 2001
From: mohammadmseet-hue <mohammadmseet@gmail.com>
Date: Sat, 11 Apr 2026 18:57:53 +0200
Subject: [PATCH] Fix panic on malformed Dot11 InformationElement packets

For vendor IEs (ID=221), check m.Length >= 4 before reading OUI and
splitting data. The previous bounds check was applied to all IE types
regardless of vendor status, and did not prevent a panic when a vendor
IE had Length < 4.
---
 layers/dot11.go | 8 ++++----
 1 file changed, 4 insertions(+), 4 deletions(-)

diff --git a/layers/dot11.go b/layers/dot11.go
index 3e6491061..2fe58658a 100644
--- a/layers/dot11.go
+++ b/layers/dot11.go
@@ -1470,12 +1470,12 @@ func (m *Dot11InformationElement) DecodeFromBytes(data []byte, df gopacket.Decod
 		df.SetTruncated()
 		return fmt.Errorf("Dot11InformationElement length %v too short, %v required", len(data), offset+int(m.Length))
 	}
-	if len(data) < offset+4 {
-		df.SetTruncated()
-		return fmt.Errorf("vendor extension size < %d", offset+int(m.Length))
-	}
 	if m.ID == 221 {
 		// Vendor extension
+		if int(m.Length) < 4 {
+			df.SetTruncated()
+			return fmt.Errorf("Dot11InformationElement vendor IE length %d too short, 4 required", m.Length)
+		}
 		m.OUI = data[offset : offset+4]
 		m.Info = data[offset+4 : offset+int(m.Length)]
 	} else {