On Wed, 2012-02-29 at 09:38 +0300, Dan Carpenter wrote:
> I just sent a patch for a places that didn't cap "req_ie_len" and
> "resp_ie_len" properly leading to integer overflows in
> cfg80211_roamed_bss(). If there was a good way, I'd like to cap those
> values inside cfg80211_roamed_bss() as well. What is a good limit to
> use?
>
> devel/net/wireless/sme.c
> 653
> 654 ev = kzalloc(sizeof(*ev) + req_ie_len + resp_ie_len, gfp);
> 655 if (!ev) {
> 656 cfg80211_put_bss(bss);
> 657 return;
> 658 }
> 659
Probably IEEE80211_MAX_DATA_LEN, there's no way all the IEs could ever
be longer than that combined, at least for now :)
johannes
--
To unsubscribe from this list: send the line "unsubscribe linux-wireless" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at http://vger.kernel.org/majordomo-info.html
