From: Arend van Spriel
Date: Wed, 12 Jul 2017 13:49:23 +0200
> On 7/7/2017 10:09 PM, Arend van Spriel wrote:
>> The lower level nl80211 code in cfg80211 ensures that "len" is between
>> 25 and NL80211_ATTR_FRAME (2304). We subtract DOT11_MGMT_HDR_LEN (24)
>> from
>> "len" so thats's max of 2280.
On 7/7/2017 10:09 PM, Arend van Spriel wrote:
The lower level nl80211 code in cfg80211 ensures that "len" is between
25 and NL80211_ATTR_FRAME (2304). We subtract DOT11_MGMT_HDR_LEN (24) from
"len" so thats's max of 2280. However, the action_frame->data[] buffer is
only BRCMF_FIL_ACTION_FRAME_S
On Fri, Jul 7, 2017 at 1:09 PM, Arend van Spriel
wrote:
> Now I signed off on the patch although formally I suppose Linus should
> sign it off.
You can certainly consider it
Signed-off-by: Linus Torvalds
but I really don't need the authorship (or resulting sign-off
requirement) because mult
The lower level nl80211 code in cfg80211 ensures that "len" is between
25 and NL80211_ATTR_FRAME (2304). We subtract DOT11_MGMT_HDR_LEN (24) from
"len" so thats's max of 2280. However, the action_frame->data[] buffer is
only BRCMF_FIL_ACTION_FRAME_SIZE (1800) bytes long so this memcpy() can
overf
