diff --git a/net/mac80211/util.c b/net/mac80211/util.c
index ee07692757bd..35783f13cc67 100644
--- a/net/mac80211/util.c
+++ b/net/mac80211/util.c
@@ -1285,6 +1285,8 @@ static size_t ieee802_11_find_bssid_profile(const u8 *start, size_t len,
 	for_each_element_id(elem, WLAN_EID_MULTIPLE_BSSID, start, len) {
 		if (elem->datalen < 2)
 			continue;
+		if (elem->data[0] < 1 || elem->data[0] > 8)
+			continue;
 
 		for_each_element(sub, elem->data + 1, elem->datalen - 1) {
 			u8 new_bssid[ETH_ALEN];
diff --git a/net/wireless/scan.c b/net/wireless/scan.c
index e4ebb980214d..75e26e366820 100644
--- a/net/wireless/scan.c
+++ b/net/wireless/scan.c
@@ -1601,6 +1601,8 @@ static void cfg80211_parse_mbssid_data(struct wiphy *wiphy,
 	for_each_element_id(elem, WLAN_EID_MULTIPLE_BSSID, ie, ielen) {
 		if (elem->datalen < 4)
 			continue;
+		if (elem->data[0] < 1 || (int)elem->data[0] > 8)
+			continue;
 		for_each_element(sub, elem->data + 1, elem->datalen - 1) {
 			u8 profile_len;