On Tue, Apr 14, 2026 at 03:02:00PM +0000, Dan Carpenter wrote:
> Do we know for sure that this is within bounds?  And there is earlier
> code which pokes in pframe as well.  This code is quite complicated.

You're right, I missed that. get_da(pframe) at the top of the function
already accesses pframe+4..+9, and GetPrivacy() reads the FC field,
both without any length check. I'll add an early check against
WLAN_HDR_A3_LEN before any pframe access and send a v2.

Thanks,
Alexandru