On Thu, Jul 06, 2017 at 03:32:42PM -0700, Linus Torvalds wrote: > On Thu, Jul 6, 2017 at 10:11 AM, Arend van Spriel > <arend.vanspriel@xxxxxxxxxxxx> wrote: > > > > Looks fine to me so ... > > I really think that if we can't trust 'len', then we have to check > against the lower bound of DOT11_MGMT_HDR_LEN too, because otherwise > we'll just have a big 16-bit number instead. There is already a check in cfg80211_mlme_mgmt_tx(). if (params->len < 24 + 1) return -EINVAL; It probably should be using DOT11_MGMT_HDR_LEN instead of a magic 24. regards, dan carpenter
