On Mon, 2018-09-03 at 10:56 +0200, Johannes Berg wrote: > On Fri, 2018-08-31 at 11:31 +0300, Luca Coelho wrote: > > > > + cap = cfg80211_find_ext_ie(WLAN_EID_EXT_HE_CAPABILITY, ies, > > ies_len); > > + if (cap && cap[1] >= sizeof(*params->he_cap) + 1) > > + params->he_cap = (void *)(cap + 3); > > I think this should validate that the element is actually well-formed > before passing it to the driver. To do this, need to refactor the > size > checks from ieee80211_he_cap_ie_to_sta_he_cap().
We don't currently check any of the other IEs we use in this function. Do you mean that this is relevant only for HE? I can spin the size checks off from mac80211 so it can be reused here, but maybe that should be in a separate patch? -- Cheers, Luca.
