linux-wireless.vger.kernel.org archive mirror
 help / color / mirror / Atom feed
* checking for integer overflows in cfg80211_roamed_bss()
@ 2012-02-29  6:38 Dan Carpenter
  2012-02-29  8:28 ` Johannes Berg
  0 siblings, 1 reply; 2+ messages in thread
From: Dan Carpenter @ 2012-02-29  6:38 UTC (permalink / raw)
  To: linux-wireless

I just sent a patch for a places that didn't cap "req_ie_len" and
"resp_ie_len" properly leading to integer overflows in
cfg80211_roamed_bss().  If there was a good way, I'd like to cap those
values inside cfg80211_roamed_bss() as well.  What is a good limit to
use?

devel/net/wireless/sme.c
   653  
   654          ev = kzalloc(sizeof(*ev) + req_ie_len + resp_ie_len, gfp);
   655          if (!ev) {
   656                  cfg80211_put_bss(bss);
   657                  return;
   658          }
   659  

regards,
dan carpenter

^ permalink raw reply	[flat|nested] 2+ messages in thread
* Re: checking for integer overflows in cfg80211_roamed_bss()
  2012-02-29  6:38 checking for integer overflows in cfg80211_roamed_bss() Dan Carpenter
@ 2012-02-29  8:28 ` Johannes Berg
  0 siblings, 0 replies; 2+ messages in thread
From: Johannes Berg @ 2012-02-29  8:28 UTC (permalink / raw)
  To: Dan Carpenter; +Cc: linux-wireless

On Wed, 2012-02-29 at 09:38 +0300, Dan Carpenter wrote:
> I just sent a patch for a places that didn't cap "req_ie_len" and
> "resp_ie_len" properly leading to integer overflows in
> cfg80211_roamed_bss().  If there was a good way, I'd like to cap those
> values inside cfg80211_roamed_bss() as well.  What is a good limit to
> use?
> 
> devel/net/wireless/sme.c
>    653  
>    654          ev = kzalloc(sizeof(*ev) + req_ie_len + resp_ie_len, gfp);
>    655          if (!ev) {
>    656                  cfg80211_put_bss(bss);
>    657                  return;
>    658          }
>    659  

Probably IEEE80211_MAX_DATA_LEN, there's no way all the IEs could ever
be longer than that combined, at least for now :)

johannes


^ permalink raw reply	[flat|nested] 2+ messages in thread
end of thread, other threads:[~2012-02-29  8:28 UTC | newest]

Thread overview: 2+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2012-02-29  6:38 checking for integer overflows in cfg80211_roamed_bss() Dan Carpenter
2012-02-29  8:28 ` Johannes Berg

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).