Linus Torvalds <torvalds@xxxxxxxxxxxxxxxxxxxx> writes: > On Thu, Jul 6, 2017 at 10:11 AM, Arend van Spriel > <arend.vanspriel@xxxxxxxxxxxx> wrote: >> >> Looks fine to me so ... > > I really think that if we can't trust 'len', then we have to check > against the lower bound of DOT11_MGMT_HDR_LEN too, because otherwise > we'll just have a big 16-bit number instead. > > And we should do that brcmf_err() that I had in my version, which also > let's people know they are being attacked. I hope brcmf_err() is ratelimited so that the attacker cannot spam the logs too much. BTW I didn't see your version of the patch, I guess it was not CCed to linux-wireless. Just a side note, but this discussion is not stored in patchwork, I only see the original patch. No idea why: https://patchwork.kernel.org/patch/9827721/ -- Kalle Valo
