Johannes Berg wrote: > Hi Andy, > > Sorry, I really hate doing this, but I found yet another problem :/ > > Hi Andy, > > Sorry, I really hate having comments again and again but never really > thought about this earlier, the FCS removal thing you added made me > think... > > >> + * @max_length: total length we can parse into (eg, whole packet length) > >> + /* sanity check for allowed length and radiotap length field */ >> + if (max_length < le16_to_cpu(radiotap_header->it_len)) >> + return -EINVAL; > >> + iterator->max_length = le16_to_cpu(radiotap_header->it_len); > > This is fine, at first sight, but if you let the caller modify the skb > like mac80211 now does with stripping the FCS, the max length really > needs to be passed to each invocation of > ieee80211_radiotap_iterator_next in order to catch invalid skbs. Mind > you, we wouldn't Oops since trimming just moves the skb tail pointer, > but something that indicated a longer length and then just have a packet > like Hi Johannes - No it sounds a real issue, don't feel bad! I will look at it thismorning and fold the changes from Michael into another try. -Andy - To unsubscribe from this list: send the line "unsubscribe linux-wireless" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html
