From: Andy Green <andy@warmcat.com>
To: Johannes Berg <johannes@sipsolutions.net>
Cc: linux-wireless@vger.kernel.org,
John Linville <linville@tuxdriver.com>, Jiri Benc <jbenc@suse.cz>
Subject: Re: [PATCH Try#12 2/3] cfg80211: Radiotap parser
Date: Thu, 14 Jun 2007 10:23:02 +0100 [thread overview]
Message-ID: <467108F6.3050508@warmcat.com> (raw)
In-Reply-To: <1181760467.29767.130.camel@johannes.berg>
Johannes Berg wrote:
> Hi Andy,
>
> Sorry, I really hate doing this, but I found yet another problem :/
>
> Hi Andy,
>
> Sorry, I really hate having comments again and again but never really
> thought about this earlier, the FCS removal thing you added made me
> think...
>
>
>> + * @max_length: total length we can parse into (eg, whole packet length)
>
>> + /* sanity check for allowed length and radiotap length field */
>> + if (max_length < le16_to_cpu(radiotap_header->it_len))
>> + return -EINVAL;
>
>> + iterator->max_length = le16_to_cpu(radiotap_header->it_len);
>
> This is fine, at first sight, but if you let the caller modify the skb
> like mac80211 now does with stripping the FCS, the max length really
> needs to be passed to each invocation of
> ieee80211_radiotap_iterator_next in order to catch invalid skbs. Mind
> you, we wouldn't Oops since trimming just moves the skb tail pointer,
> but something that indicated a longer length and then just have a packet
> like
Hi Johannes -
No it sounds a real issue, don't feel bad! I will look at it
thismorning and fold the changes from Michael into another try.
-Andy
next prev parent reply other threads:[~2007-06-14 9:23 UTC|newest]
Thread overview: 12+ messages / expand[flat|nested] mbox.gz Atom feed top
2007-06-13 9:37 [PATCH Try#12 0/3] Radiotap injection for Monitor Mode andy
2007-06-13 9:37 ` [PATCH Try#12 1/3] mac80211: Monitor mode radiotap injection docs andy
2007-06-13 9:37 ` [PATCH Try#12 2/3] cfg80211: Radiotap parser andy
2007-06-13 18:47 ` Johannes Berg
2007-06-14 9:22 ` Johannes Berg
2007-06-14 9:23 ` Andy Green [this message]
2007-06-14 10:02 ` Andy Green
2007-06-16 12:26 ` Johannes Berg
2007-06-13 9:37 ` [PATCH Try#12 3/3] mac80211: Monitor mode radiotap-based packet injection andy
2007-06-13 18:56 ` Johannes Berg
2007-06-14 7:18 ` [PATCH Try#12 0/3] Radiotap injection for Monitor Mode Michael Wu
2007-06-14 7:57 ` Andy Green
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=467108F6.3050508@warmcat.com \
--to=andy@warmcat.com \
--cc=jbenc@suse.cz \
--cc=johannes@sipsolutions.net \
--cc=linux-wireless@vger.kernel.org \
--cc=linville@tuxdriver.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.