On 07-07-17 11:24, Arend van Spriel wrote: > > > On 7/7/2017 10:46 AM, Dan Carpenter wrote: >> On Thu, Jul 06, 2017 at 03:32:42PM -0700, Linus Torvalds wrote: >>> On Thu, Jul 6, 2017 at 10:11 AM, Arend van Spriel >>> <arend.vanspriel@xxxxxxxxxxxx> wrote: >>>> >>>> Looks fine to me so ... >>> >>> I really think that if we can't trust 'len', then we have to check >>> against the lower bound of DOT11_MGMT_HDR_LEN too, because otherwise >>> we'll just have a big 16-bit number instead. >> >> There is already a check in cfg80211_mlme_mgmt_tx(). >> >> if (params->len < 24 + 1) >> return -EINVAL; >> >> It probably should be using DOT11_MGMT_HDR_LEN instead of a magic 24. > > Missed that check when I looked yesterday evening. Must have been the > time ;-) Hi Dan, This being said, are you going to send a V2 adding a brcmf_err() call as Linus proposed? I think we can improve the length check above later if deemed necessary. Regards, Arend
