From: Assaf Krauss <[email protected]>
This patch handles country information elements incoming from
the AP. In order to do that, there is a need to keeping track of
txpower inputs.
This patch adds a distinction between 3 types of txpower inputs:
1. hw support - max txpower allowed by hw on each channel
2. user - max txpower supplied by user
3. 11d - max txpower allowed by currently associated AP, as given
in country information elements.
Each time there is a association/disassociation, changing of channel,
or changing of user txpower, the tx power limit is recalculated and
passed to the underlying driver.
Country element:
The mac80211 identifies the current channel in the element,
and, if required, propogates the request to reduce the tx
power to the driver.
Signed-off-by: Assaf Krauss <[email protected]>
---
include/net/mac80211.h | 7 ++-
net/mac80211/ieee80211_i.h | 1 +
net/mac80211/main.c | 21 ++++++---
net/mac80211/mlme.c | 110 ++++++++++++++++++++++++++++++++++++++++++++
net/mac80211/wext.c | 26 +++++------
5 files changed, 143 insertions(+), 22 deletions(-)
diff --git a/include/net/mac80211.h b/include/net/mac80211.h
index 8382fc6..693534e 100644
--- a/include/net/mac80211.h
+++ b/include/net/mac80211.h
@@ -159,12 +159,14 @@ struct ieee80211_low_level_stats {
* @BSS_CHANGED_ERP_CTS_PROT: CTS protection changed
* @BSS_CHANGED_ERP_PREAMBLE: preamble changed
* @BSS_CHANGED_HT: 802.11n parameters changed
+ * @BSS_CHANGED_PWR: power constrains has changed
*/
enum ieee80211_bss_change {
BSS_CHANGED_ASSOC = 1<<0,
BSS_CHANGED_ERP_CTS_PROT = 1<<1,
BSS_CHANGED_ERP_PREAMBLE = 1<<2,
BSS_CHANGED_HT = 1<<4,
+ BSS_CHANGED_PWR = 1<<5,
};
/**
@@ -412,7 +414,8 @@ enum ieee80211_conf_flags {
* TODO make a flag
* @beacon_int: beacon interval (TODO make interface config)
* @flags: configuration flags defined above
- * @power_level: requested transmit power (in dBm)
+ * @power_level: requested transmit power in operational channel (in dBm)
+ * @user_power_level: global power maximum (limits hw scan)
* @max_antenna_gain: maximum antenna gain (in dBi)
* @antenna_sel_tx: transmit antenna selection, 0: default/diversity,
* 1/2: antenna 0/1
@@ -427,6 +430,8 @@ struct ieee80211_conf {
int beacon_int;
u32 flags;
int power_level;
+ int user_pwr_limit;
+ int tpc_pwr_limit;
int max_antenna_gain;
u8 antenna_sel_tx;
u8 antenna_sel_rx;
diff --git a/net/mac80211/ieee80211_i.h b/net/mac80211/ieee80211_i.h
index defcc4d..f718f75 100644
--- a/net/mac80211/ieee80211_i.h
+++ b/net/mac80211/ieee80211_i.h
@@ -377,6 +377,7 @@ struct ieee80211_if_sta {
int wmm_last_param_set;
int num_beacons; /* number of TXed beacon frames by this STA */
+ u8 country_max_pwr; /* max power obtained from country ie (11d) */
};
static inline void ieee80211_if_sta_set_mesh_id(struct ieee80211_if_sta *ifsta,
diff --git a/net/mac80211/main.c b/net/mac80211/main.c
index 5c5396e..3f62a44 100644
--- a/net/mac80211/main.c
+++ b/net/mac80211/main.c
@@ -1028,6 +1028,19 @@ int ieee80211_if_config_beacon(struct net_device *dev)
return __ieee80211_if_config(dev, skb);
}
+static void ieee80211_calculate_power_level(struct ieee80211_local *local)
+{
+ struct ieee80211_channel *chan = local->hw.conf.channel;
+
+ local->hw.conf.power_level = chan->max_power;
+ if (local->hw.conf.user_pwr_limit)
+ local->hw.conf.power_level = min(local->hw.conf.user_pwr_limit,
+ local->hw.conf.power_level);
+ if (local->hw.conf.tpc_pwr_limit)
+ local->hw.conf.power_level = min(local->hw.conf.tpc_pwr_limit,
+ local->hw.conf.power_level);
+}
+
int ieee80211_hw_config(struct ieee80211_local *local)
{
struct ieee80211_channel *chan;
@@ -1040,13 +1053,7 @@ int ieee80211_hw_config(struct ieee80211_local *local)
local->hw.conf.channel = chan;
- if (!local->hw.conf.power_level)
- local->hw.conf.power_level = chan->max_power;
- else
- local->hw.conf.power_level = min(chan->max_power,
- local->hw.conf.power_level);
-
- local->hw.conf.max_antenna_gain = chan->max_antenna_gain;
+ ieee80211_calculate_power_level(local);
#ifdef CONFIG_MAC80211_VERBOSE_DEBUG
printk(KERN_DEBUG "%s: HW CONFIG: freq=%d\n",
diff --git a/net/mac80211/mlme.c b/net/mac80211/mlme.c
index 79b31de..313b02a 100644
--- a/net/mac80211/mlme.c
+++ b/net/mac80211/mlme.c
@@ -469,6 +469,97 @@ int ieee80211_ht_addt_info_ie_to_ht_bss_info(
return 0;
}
+struct ieee80211_subband_triplet {
+ u8 first_channel;
+ u8 num_of_channels;
+ u8 max_power;
+} __attribute__ ((packed));
+
+struct ieee80211_reg_triplet {
+ u8 extension_id;
+ u8 class;
+ u8 coverage;
+} __attribute__ ((packed));
+
+
+#define IEEE80211_COUNTRY_EXTENSION_ID 201
+
+/* returns 0 if no change was made, or BSS_CHANGED_PWR if new country
+ txpower was defined */
+static u32 ieee80211_sta_process_country(struct ieee80211_if_sta *ifsta,
+ struct ieee80211_local *local,
+ u8 *country_ie, u8 country_ie_len)
+{
+ int channel = ieee80211_frequency_to_channel(
+ local->hw.conf.channel->center_freq);
+
+ if (country_ie_len < 6) {
+ printk(KERN_ERR "%s: country information element shorter (%d)"
+ " than expected.\n", __func__, country_ie_len);
+ return 0;
+ }
+
+#ifdef CONFIG_MAC80211_VERBOSE_SPECT_MGMT_DEBUG
+ printk(KERN_DEBUG "countryString=%c%c%c\n",
+ country_ie[0], country_ie[1], country_ie[2]);
+#endif
+ /* skip country strings */
+ country_ie += 3;
+ country_ie_len -= 3;
+
+ /* search element for current channel */
+ while (country_ie_len >= sizeof(struct ieee80211_subband_triplet)) {
+ struct ieee80211_subband_triplet *triplet =
+ (struct ieee80211_subband_triplet *)country_ie;
+
+ if (triplet->first_channel >= IEEE80211_COUNTRY_EXTENSION_ID) {
+#ifdef CONFIG_MAC80211_VERBOSE_SPECT_MGMT_DEBUG
+ printk(KERN_DEBUG "Regulatory triplet not supported\n");
+#endif
+ country_ie += sizeof(struct ieee80211_reg_triplet);
+ country_ie_len -= sizeof(struct ieee80211_reg_triplet);
+ continue;
+ }
+
+ if (channel >= triplet->first_channel &&
+ channel < triplet->first_channel
+ + triplet->num_of_channels) {
+ /* found our channel! */
+#ifdef CONFIG_MAC80211_VERBOSE_SPECT_MGMT_DEBUG
+ printk(KERN_DEBUG "found current channel (%d) "
+ "in country ie\n", channel);
+#endif
+ if (ifsta->country_max_pwr != triplet->max_power) {
+#ifdef CONFIG_MAC80211_VERBOSE_SPECT_MGMT_DEBUG
+ printk(KERN_DEBUG "changing country max "
+ "power from %d to %d.\n",
+ ifsta->country_max_pwr,
+ triplet->max_power);
+#endif
+ ifsta->country_max_pwr = triplet->max_power;
+ local->hw.conf.tpc_pwr_limit =
+ ifsta->country_max_pwr;
+ return BSS_CHANGED_PWR;
+ }
+#ifdef CONFIG_MAC80211_VERBOSE_SPECT_MGMT_DEBUG
+ printk(KERN_DEBUG "no need to change country power\n");
+#endif
+ return 0;
+ }
+
+ country_ie += sizeof(struct ieee80211_subband_triplet);
+ country_ie_len -= sizeof(struct ieee80211_subband_triplet);
+ }
+
+#ifdef CONFIG_MAC80211_VERBOSE_SPECT_MGMT_DEBUG
+ /* NOTE: this could be a good reason to disable tx completely! */
+ printk(KERN_DEBUG
+ "match for current channel (%d) not found in country ie.\n",
+ channel);
+#endif
+ return 0;
+}
+
static void ieee80211_sta_send_associnfo(struct net_device *dev,
struct ieee80211_if_sta *ifsta)
{
@@ -587,6 +678,16 @@ static void ieee80211_set_associated(struct net_device *dev,
static void ieee80211_set_disassoc(struct net_device *dev,
struct ieee80211_if_sta *ifsta, int deauth)
{
+ /* Reset power level.
+ Get the tx power from the current channel/user. */
+ struct ieee80211_local *local = wdev_priv(dev->ieee80211_ptr);
+
+ if (ifsta->country_max_pwr || local->hw.conf.tpc_pwr_limit) {
+ ifsta->country_max_pwr = 0;
+ local->hw.conf.tpc_pwr_limit = 0;
+ ieee80211_hw_config(local);
+ }
+
if (deauth)
ifsta->auth_tries = 0;
ifsta->assoc_tries = 0;
@@ -3049,6 +3150,13 @@ static void ieee80211_rx_mgmt_beacon(struct net_device *dev,
&bss_info);
}
+ if (elems.country_elem)
+ changed |= ieee80211_sta_process_country(ifsta, local,
+ elems.country_elem, elems.country_elem_len);
+
+ if (changed & BSS_CHANGED_PWR)
+ ieee80211_hw_config(local);
+
ieee80211_bss_info_change_notify(sdata, changed);
}
@@ -4053,6 +4161,8 @@ void ieee80211_sta_scan_work(struct work_struct *work)
if (!skip) {
local->scan_channel = chan;
+ local->hw.conf.tpc_pwr_limit = 0;
+ sdata->u.sta.country_max_pwr = 0;
if (ieee80211_hw_config(local)) {
printk(KERN_DEBUG "%s: failed to set freq to "
"%d MHz for scan\n", dev->name,
diff --git a/net/mac80211/wext.c b/net/mac80211/wext.c
index 5af3862..8862303 100644
--- a/net/mac80211/wext.c
+++ b/net/mac80211/wext.c
@@ -322,9 +322,11 @@ int ieee80211_set_freq(struct net_device *dev, int freqMHz)
if (local->sta_sw_scanning || local->sta_hw_scanning)
ret = 0;
- else
+ else {
+ local->hw.conf.tpc_pwr_limit = 0;
+ sdata->u.sta.country_max_pwr = 0;
ret = ieee80211_hw_config(local);
-
+ }
rate_control_clear(local);
}
@@ -657,7 +659,6 @@ static int ieee80211_ioctl_siwtxpower(struct net_device *dev,
{
struct ieee80211_local *local = wdev_priv(dev->ieee80211_ptr);
bool need_reconfig = 0;
- int new_power_level;
if ((data->txpower.flags & IW_TXPOW_TYPE) != IW_TXPOW_DBM)
return -EINVAL;
@@ -665,21 +666,18 @@ static int ieee80211_ioctl_siwtxpower(struct net_device *dev,
return -EINVAL;
if (data->txpower.fixed) {
- new_power_level = data->txpower.value;
- } else {
+ if (data->txpower.value <= 0)
+ return -EINVAL;
+ if (local->hw.conf.user_pwr_limit != data->txpower.value) {
+ local->hw.conf.user_pwr_limit = data->txpower.value;
+ need_reconfig = 1;
+ }
+ } else if (local->hw.conf.user_pwr_limit != 0) {
/*
* Automatic power level. Use maximum power for the current
* channel. Should be part of rate control.
*/
- struct ieee80211_channel* chan = local->hw.conf.channel;
- if (!chan)
- return -EINVAL;
-
- new_power_level = chan->max_power;
- }
-
- if (local->hw.conf.power_level != new_power_level) {
- local->hw.conf.power_level = new_power_level;
+ local->hw.conf.user_pwr_limit = 0;
need_reconfig = 1;
}
--
1.5.4.1
---------------------------------------------------------------------
Intel Israel (74) Limited
This e-mail and any attachments may contain confidential material for
the sole use of the intended recipient(s). Any review or distribution
by others is strictly prohibited. If you are not the intended
recipient, please contact the sender and delete all copies.
On Fri, Jun 20, 2008 at 1:04 AM, David Miller <[email protected]> wrote:
> From: "Tomas Winkler" <[email protected]>
> Date: Thu, 19 Jun 2008 23:29:55 +0300
>
>> On Thu, Jun 19, 2008 at 11:18 PM, Johannes Berg
>> <[email protected]> wrote:
>> >
>> >> >> + if (country_ie_len < 6) {
>> >> >> + printk(KERN_ERR "%s: country information element shorter (%d)"
>> >> >> + " than expected.\n", __func__, country_ie_len);
>> >> >
>> >> > Remotely exploitable security bug.
>> >
>> >> Please explain,
>> >
>> > Sending broken frames will fill the disk.
>>
>> I see thanks (yeah, distors doesn't make separate log partitions as default)
>
> How distros do their partitioning is neither here not there. And even
> if they make a seperate log partition, that means it's still exploitable
> in that you will no longer get the other non-spam log messages that might
> be important to know about.
>
> Any kernel log message triggerable remotely without any kind of rate
> limiting is a bug.
Will keep in mind
Thanks
Tomas
On Thu, 2008-06-19 at 21:35 +0300, Tomas Winkler wrote:
> From: Assaf Krauss <[email protected]>
>
> This patch is a workaround for the unreliable disassociation
> flow. The resetting of the tx power is now performed upon
> association/reassociation.
>
> Signed-off-by: Assaf Krauss <[email protected]>
> Signed-off-by: Tomas Winkler <[email protected]>
> ---
> net/mac80211/mlme.c | 13 +++++++++++++
> 1 files changed, 13 insertions(+), 0 deletions(-)
>
> diff --git a/net/mac80211/mlme.c b/net/mac80211/mlme.c
> index 313b02a..378ccd5 100644
> --- a/net/mac80211/mlme.c
> +++ b/net/mac80211/mlme.c
> @@ -2148,6 +2148,19 @@ static void ieee80211_rx_mgmt_assoc_resp(struct ieee80211_sub_if_data *sdata,
> /* AssocResp and ReassocResp have identical structure, so process both
> * of them in this function. */
>
> + /***********************************************************
> + * Workaround - Until disassociation flow is trustworthy...
> + ***********************************************************/
> + /* Reset power level. Get the tx power from the current channel/user.*/
> + if (ifsta->country_max_pwr || local->hw.conf.tpc_pwr_limit) {
> + ifsta->country_max_pwr = 0;
> + local->hw.conf.tpc_pwr_limit = 0;
> + ieee80211_hw_config(local);
> + }
> + /***********************************************************
> + * End of Workaround
> + ***********************************************************/
Umm, can you explain/fix the problem instead of adding ugly comments
like that?
johannes
On Thu, Jun 19, 2008 at 10:04 PM, Johannes Berg
<[email protected]> wrote:
> On Thu, 2008-06-19 at 21:35 +0300, Tomas Winkler wrote:
>> From: Assaf Krauss <[email protected]>
>>
>> This patch is a workaround for the unreliable disassociation
>> flow. The resetting of the tx power is now performed upon
>> association/reassociation.
>>
>> Signed-off-by: Assaf Krauss <[email protected]>
>> Signed-off-by: Tomas Winkler <[email protected]>
>> ---
>> net/mac80211/mlme.c | 13 +++++++++++++
>> 1 files changed, 13 insertions(+), 0 deletions(-)
>>
>> diff --git a/net/mac80211/mlme.c b/net/mac80211/mlme.c
>> index 313b02a..378ccd5 100644
>> --- a/net/mac80211/mlme.c
>> +++ b/net/mac80211/mlme.c
>> @@ -2148,6 +2148,19 @@ static void ieee80211_rx_mgmt_assoc_resp(struct ieee80211_sub_if_data *sdata,
>> /* AssocResp and ReassocResp have identical structure, so process both
>> * of them in this function. */
>>
>> + /***********************************************************
>> + * Workaround - Until disassociation flow is trustworthy...
>> + ***********************************************************/
>> + /* Reset power level. Get the tx power from the current channel/user.*/
>> + if (ifsta->country_max_pwr || local->hw.conf.tpc_pwr_limit) {
>> + ifsta->country_max_pwr = 0;
>> + local->hw.conf.tpc_pwr_limit = 0;
>> + ieee80211_hw_config(local);
>> + }
>> + /***********************************************************
>> + * End of Workaround
>> + ***********************************************************/
>
> Umm, can you explain/fix the problem instead of adding ugly comments
> like that?
This patch goes separately with hope it will be not used.
Disconnection is not really captured correctly by mac and old data
are not cleaned.
Tomas
On Thu, Jun 19, 2008 at 10:03 PM, Johannes Berg
<[email protected]> wrote:
>
>> +static void ieee80211_calculate_power_level(struct ieee80211_local *local)
>> +{
>> + struct ieee80211_channel *chan = local->hw.conf.channel;
>> +
>> + local->hw.conf.power_level = chan->max_power;
>> + if (local->hw.conf.user_pwr_limit)
>> + local->hw.conf.power_level = min(local->hw.conf.user_pwr_limit,
>> + local->hw.conf.power_level);
>> + if (local->hw.conf.tpc_pwr_limit)
>> + local->hw.conf.power_level = min(local->hw.conf.tpc_pwr_limit,
>> + local->hw.conf.power_level);
>> +}
>> +
>> int ieee80211_hw_config(struct ieee80211_local *local)
>> {
>> struct ieee80211_channel *chan;
>> @@ -1040,13 +1053,7 @@ int ieee80211_hw_config(struct ieee80211_local *local)
>>
>> local->hw.conf.channel = chan;
>>
>> - if (!local->hw.conf.power_level)
>> - local->hw.conf.power_level = chan->max_power;
>> - else
>> - local->hw.conf.power_level = min(chan->max_power,
>> - local->hw.conf.power_level);
>> -
>> - local->hw.conf.max_antenna_gain = chan->max_antenna_gain;
>> + ieee80211_calculate_power_level(local);
>
> Lost antenna gain setting?
Oops
>
>
>> + if (country_ie_len < 6) {
>> + printk(KERN_ERR "%s: country information element shorter (%d)"
>> + " than expected.\n", __func__, country_ie_len);
>
> Remotely exploitable security bug.
Please explain,
>
>> - if (local->hw.conf.power_level != new_power_level) {
>> - local->hw.conf.power_level = new_power_level;
>> + local->hw.conf.user_pwr_limit = 0;
>
> whitespace damage.
Will fix, strange though it passed checkpatch
Thanks for review
Adding Luis with hope for some more review with connection to reg domain stuff.
Tomas
On Thu, Jun 19, 2008 at 11:18 PM, Johannes Berg
<[email protected]> wrote:
>
>> >> + if (country_ie_len < 6) {
>> >> + printk(KERN_ERR "%s: country information element shorter (%d)"
>> >> + " than expected.\n", __func__, country_ie_len);
>> >
>> > Remotely exploitable security bug.
>
>> Please explain,
>
> Sending broken frames will fill the disk.
I see thanks (yeah, distors doesn't make separate log partitions as default)
Tomas
> >> + if (country_ie_len < 6) {
> >> + printk(KERN_ERR "%s: country information element shorter (%d)"
> >> + " than expected.\n", __func__, country_ie_len);
> >
> > Remotely exploitable security bug.
> Please explain,
Sending broken frames will fill the disk.
johannes
From: "Tomas Winkler" <[email protected]>
Date: Thu, 19 Jun 2008 23:29:55 +0300
> On Thu, Jun 19, 2008 at 11:18 PM, Johannes Berg
> <[email protected]> wrote:
> >
> >> >> + if (country_ie_len < 6) {
> >> >> + printk(KERN_ERR "%s: country information element shorter (%d)"
> >> >> + " than expected.\n", __func__, country_ie_len);
> >> >
> >> > Remotely exploitable security bug.
> >
> >> Please explain,
> >
> > Sending broken frames will fill the disk.
>
> I see thanks (yeah, distors doesn't make separate log partitions as default)
How distros do their partitioning is neither here not there. And even
if they make a seperate log partition, that means it's still exploitable
in that you will no longer get the other non-spam log messages that might
be important to know about.
Any kernel log message triggerable remotely without any kind of rate
limiting is a bug.
> +static void ieee80211_calculate_power_level(struct ieee80211_local *local)
> +{
> + struct ieee80211_channel *chan = local->hw.conf.channel;
> +
> + local->hw.conf.power_level = chan->max_power;
> + if (local->hw.conf.user_pwr_limit)
> + local->hw.conf.power_level = min(local->hw.conf.user_pwr_limit,
> + local->hw.conf.power_level);
> + if (local->hw.conf.tpc_pwr_limit)
> + local->hw.conf.power_level = min(local->hw.conf.tpc_pwr_limit,
> + local->hw.conf.power_level);
> +}
> +
> int ieee80211_hw_config(struct ieee80211_local *local)
> {
> struct ieee80211_channel *chan;
> @@ -1040,13 +1053,7 @@ int ieee80211_hw_config(struct ieee80211_local *local)
>
> local->hw.conf.channel = chan;
>
> - if (!local->hw.conf.power_level)
> - local->hw.conf.power_level = chan->max_power;
> - else
> - local->hw.conf.power_level = min(chan->max_power,
> - local->hw.conf.power_level);
> -
> - local->hw.conf.max_antenna_gain = chan->max_antenna_gain;
> + ieee80211_calculate_power_level(local);
Lost antenna gain setting?
> + if (country_ie_len < 6) {
> + printk(KERN_ERR "%s: country information element shorter (%d)"
> + " than expected.\n", __func__, country_ie_len);
Remotely exploitable security bug.
> - if (local->hw.conf.power_level != new_power_level) {
> - local->hw.conf.power_level = new_power_level;
> + local->hw.conf.user_pwr_limit = 0;
whitespace damage.
johannes
From: Assaf Krauss <[email protected]>
This patch is a workaround for the unreliable disassociation
flow. The resetting of the tx power is now performed upon
association/reassociation.
Signed-off-by: Assaf Krauss <[email protected]>
Signed-off-by: Tomas Winkler <[email protected]>
---
net/mac80211/mlme.c | 13 +++++++++++++
1 files changed, 13 insertions(+), 0 deletions(-)
diff --git a/net/mac80211/mlme.c b/net/mac80211/mlme.c
index 313b02a..378ccd5 100644
--- a/net/mac80211/mlme.c
+++ b/net/mac80211/mlme.c
@@ -2148,6 +2148,19 @@ static void ieee80211_rx_mgmt_assoc_resp(struct ieee80211_sub_if_data *sdata,
/* AssocResp and ReassocResp have identical structure, so process both
* of them in this function. */
+ /***********************************************************
+ * Workaround - Until disassociation flow is trustworthy...
+ ***********************************************************/
+ /* Reset power level. Get the tx power from the current channel/user.*/
+ if (ifsta->country_max_pwr || local->hw.conf.tpc_pwr_limit) {
+ ifsta->country_max_pwr = 0;
+ local->hw.conf.tpc_pwr_limit = 0;
+ ieee80211_hw_config(local);
+ }
+ /***********************************************************
+ * End of Workaround
+ ***********************************************************/
+
if (ifsta->state != IEEE80211_ASSOCIATE) {
printk(KERN_DEBUG "%s: association frame received from "
"%s, but not in associate state - ignored\n",
--
1.5.4.1
---------------------------------------------------------------------
Intel Israel (74) Limited
This e-mail and any attachments may contain confidential material for
the sole use of the intended recipient(s). Any review or distribution
by others is strictly prohibited. If you are not the intended
recipient, please contact the sender and delete all copies.
On Thu, Jun 19, 2008 at 3:32 PM, Tomas Winkler <[email protected]> wrote:
> On Fri, Jun 20, 2008 at 1:04 AM, David Miller <[email protected]> wrote:
>> From: "Tomas Winkler" <[email protected]>
>> Date: Thu, 19 Jun 2008 23:29:55 +0300
>>
>>> On Thu, Jun 19, 2008 at 11:18 PM, Johannes Berg
>>> <[email protected]> wrote:
>>> >
>>> >> >> + if (country_ie_len < 6) {
>>> >> >> + printk(KERN_ERR "%s: country information element shorter (%d)"
>>> >> >> + " than expected.\n", __func__, country_ie_len);
>>> >> >
>>> >> > Remotely exploitable security bug.
>>> >
>>> >> Please explain,
>>> >
>>> > Sending broken frames will fill the disk.
>>>
>>> I see thanks (yeah, distors doesn't make separate log partitions as default)
>>
>> How distros do their partitioning is neither here not there. And even
>> if they make a seperate log partition, that means it's still exploitable
>> in that you will no longer get the other non-spam log messages that might
>> be important to know about.
>>
>> Any kernel log message triggerable remotely without any kind of rate
>> limiting is a bug.
>
> Will keep in mind
Hey Tomas,
Just wondering if you have some second version of these patches we can review?
Luus
On Wed, Jul 23, 2008 at 4:15 PM, Luis R. Rodriguez <[email protected]> wrote:
> On Thu, Jun 19, 2008 at 3:32 PM, Tomas Winkler <[email protected]> wrote:
>> On Fri, Jun 20, 2008 at 1:04 AM, David Miller <[email protected]> wrote:
>>> From: "Tomas Winkler" <[email protected]>
>>> Date: Thu, 19 Jun 2008 23:29:55 +0300
>>>
>>>> On Thu, Jun 19, 2008 at 11:18 PM, Johannes Berg
>>>> <[email protected]> wrote:
>>>> >
>>>> >> >> + if (country_ie_len < 6) {
>>>> >> >> + printk(KERN_ERR "%s: country information element shorter (%d)"
>>>> >> >> + " than expected.\n", __func__, country_ie_len);
>>>> >> >
>>>> >> > Remotely exploitable security bug.
>>>> >
>>>> >> Please explain,
>>>> >
>>>> > Sending broken frames will fill the disk.
>>>>
>>>> I see thanks (yeah, distors doesn't make separate log partitions as default)
>>>
>>> How distros do their partitioning is neither here not there. And even
>>> if they make a seperate log partition, that means it's still exploitable
>>> in that you will no longer get the other non-spam log messages that might
>>> be important to know about.
>>>
>>> Any kernel log message triggerable remotely without any kind of rate
>>> limiting is a bug.
>>
>> Will keep in mind
>
> Hey Tomas,
>
> Just wondering if you have some second version of these patches we can review?
Not yet I got back into this next week.
Thanks
Tomas