Hi Dan, > 10704 elems->ml_epcs_len, > 10705 scratch, scratch_len, > 10706 IEEE80211_MLE_SUBELEM_FRAGMENT); > --> 10707 if (len < sizeof(control)) > > If cfg80211_defragment_element() returns a negative error code then because of > type promotion, the error codes are cast to size_t and become high positive > values. They are treated as success. > > It would be easy enough to say: > > if (len < (ssize_t)sizeof(control)) > continue; > > But I really am not sure the continues in this loop are correct. > Shouldn't we instead bail out and return at the first sign of corrupt data? This is not necessarily corrupt data. It is possible that the while the scratch buffer is not large enough do defragment a specific sub element it can be large enough to defragment another one. This is why I though it is valid to continue. FWIW, the only invalid data case handled by cfg80211_defragment_element() is not relevant here. I'll prepare a patch with your suggested fix. Regards, Ilan.
