On 7/7/2017 10:49 AM, Dan Carpenter wrote:
On Fri, Jul 07, 2017 at 11:40:26AM +0300, Kalle Valo wrote:
Linus Torvalds <torvalds@xxxxxxxxxxxxxxxxxxxx> writes:
On Thu, Jul 6, 2017 at 10:11 AM, Arend van Spriel
<arend.vanspriel@xxxxxxxxxxxx> wrote:
Looks fine to me so ...
I really think that if we can't trust 'len', then we have to check
against the lower bound of DOT11_MGMT_HDR_LEN too, because otherwise
we'll just have a big 16-bit number instead.
And we should do that brcmf_err() that I had in my version, which also
let's people know they are being attacked.
I hope brcmf_err() is ratelimited so that the attacker cannot spam the
logs too much.
The attacker already has CAP_NET_ADMIN here so you're probably already
toasted.
Indeed and brcmf_err() is ratelimited when build without CONFIG_BRCMDBG,
which is what distros typically do.
Regards,
Arend
