On 7/7/2017 12:32 AM, Linus Torvalds wrote:
On Thu, Jul 6, 2017 at 10:11 AM, Arend van Spriel
<arend.vanspriel@xxxxxxxxxxxx> wrote:
Looks fine to me so ...
I really think that if we can't trust 'len', then we have to check
against the lower bound of DOT11_MGMT_HDR_LEN too, because otherwise
we'll just have a big 16-bit number instead.
Fair enough. The firmware on the device should have a check in place,
but guess what... :-( Anyway, the lower bound depends on the type of
management frames. So for action frames it is DOT11_MGMT_HDR_LEN + 1 /*
Action Category */ + 1 /* Action */.
Might be better to place the lower bound check in net/wireless/nl80211.c
and do that appropriate for the type of management frame. That way it is
assured for all wireless drivers.
And we should do that brcmf_err() that I had in my version, which also
let's people know they are being attacked.
Ok.
Regards,
Arend
