On 7/7/2017 10:46 AM, Dan Carpenter wrote:
On Thu, Jul 06, 2017 at 03:32:42PM -0700, Linus Torvalds wrote:
On Thu, Jul 6, 2017 at 10:11 AM, Arend van Spriel
<arend.vanspriel@xxxxxxxxxxxx> wrote:
Looks fine to me so ...
I really think that if we can't trust 'len', then we have to check
against the lower bound of DOT11_MGMT_HDR_LEN too, because otherwise
we'll just have a big 16-bit number instead.
There is already a check in cfg80211_mlme_mgmt_tx().
if (params->len < 24 + 1)
return -EINVAL;
It probably should be using DOT11_MGMT_HDR_LEN instead of a magic 24.
Missed that check when I looked yesterday evening. Must have been the
time ;-)
Regards,
Arend