Search Linux Wireless

checking for integer overflows in cfg80211_roamed_bss()

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 

I just sent a patch for a places that didn't cap "req_ie_len" and
"resp_ie_len" properly leading to integer overflows in
cfg80211_roamed_bss().  If there was a good way, I'd like to cap those
values inside cfg80211_roamed_bss() as well.  What is a good limit to
use?

devel/net/wireless/sme.c
   653  
   654          ev = kzalloc(sizeof(*ev) + req_ie_len + resp_ie_len, gfp);
   655          if (!ev) {
   656                  cfg80211_put_bss(bss);
   657                  return;
   658          }
   659  

regards,
dan carpenter
--
To unsubscribe from this list: send the line "unsubscribe linux-wireless" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at  http://vger.kernel.org/majordomo-info.html
[Index of Archives]     [Linux Host AP]     [ATH6KL]     [Linux Wireless Personal Area Network]     [Linux Bluetooth]     [Linux Netdev]     [Kernel Newbies]     [Linux Kernel]     [IDE]     [Git]     [Netfilter]     [Bugtraq]     [Yosemite Hiking]     [MIPS Linux]     [ARM Linux]     [Linux RAID]

  Powered by Linux