Arend van Spriel <arend.vanspriel@xxxxxxxxxxxx> writes: > On 7/7/2017 12:32 AM, Linus Torvalds wrote: >> On Thu, Jul 6, 2017 at 10:11 AM, Arend van Spriel >> <arend.vanspriel@xxxxxxxxxxxx> wrote: >>> >>> Looks fine to me so ... >> >> I really think that if we can't trust 'len', then we have to check >> against the lower bound of DOT11_MGMT_HDR_LEN too, because otherwise >> we'll just have a big 16-bit number instead. > > Fair enough. The firmware on the device should have a check in place, > but guess what... :-( Anyway, the lower bound depends on the type of > management frames. So for action frames it is DOT11_MGMT_HDR_LEN + 1 > /* Action Category */ + 1 /* Action */. > > Might be better to place the lower bound check in > net/wireless/nl80211.c and do that appropriate for the type of > management frame. That way it is assured for all wireless drivers. So I drop this patch and wait for v2? -- Kalle Valo
