On Wed, 2013-02-13 at 10:15 +0100, Johannes Berg wrote: > On Tue, 2013-02-12 at 20:11 +0200, Luciano Coelho wrote: > > cfg80211_find_vendor_ie() was checking only that the vendor IE would > > fit in the remaining IEs buffer. If a corrupt includes a vendor IE > > that is too small, we could potentially overrun the IEs buffer. > > > > Fix this by checking that the vendor IE fits in the reported IE length > > field and skip it otherwise. > > Applied. I changed the BUILD_BUG_ON to be != 1 since it has to be that, > but if one breaks that ... Okay. But it actually needs to be 1 in the cfg80211_find_ie() function, not here. Here we just need to make sure that ie->len is guaranteed to fit in what we got. cfg80211_find_ie() guarantees that we have at least 2 bytes, thus the >= 2 I used. Anyway, this is all *extremely* nitpicky already. :P -- Luca. -- To unsubscribe from this list: send the line "unsubscribe linux-wireless" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html