On Fri, Jul 07, 2017 at 11:40:26AM +0300, Kalle Valo wrote: > Linus Torvalds <torvalds@xxxxxxxxxxxxxxxxxxxx> writes: > > > On Thu, Jul 6, 2017 at 10:11 AM, Arend van Spriel > > <arend.vanspriel@xxxxxxxxxxxx> wrote: > >> > >> Looks fine to me so ... > > > > I really think that if we can't trust 'len', then we have to check > > against the lower bound of DOT11_MGMT_HDR_LEN too, because otherwise > > we'll just have a big 16-bit number instead. > > > > And we should do that brcmf_err() that I had in my version, which also > > let's people know they are being attacked. > > I hope brcmf_err() is ratelimited so that the attacker cannot spam the > logs too much. The attacker already has CAP_NET_ADMIN here so you're probably already toasted. regards, dan carpenter
