mwifiex: Fix three heap overflow at parsing element in cfg80211_ap_settings
authorWen Huang <huangwenabc@gmail.com>
Wed, 28 Aug 2019 02:07:51 +0000 (10:07 +0800)
committerGreg Kroah-Hartman <gregkh@linuxfoundation.org>
Sat, 21 Sep 2019 05:14:10 +0000 (07:14 +0200)
commit21dfacaf201ed13af70a8bd3e66bcf18cdb63b35
tree3e1f0cef114192ba9822cc7ae12e5be133d8db16
parent5b30e8bdea5f833d22364038ea5a782dae0061eb
mwifiex: Fix three heap overflow at parsing element in cfg80211_ap_settings

commit 7caac62ed598a196d6ddf8d9c121e12e082cac3a upstream.

mwifiex_update_vs_ie(),mwifiex_set_uap_rates() and
mwifiex_set_wmm_params() call memcpy() without checking
the destination size.Since the source is given from
user-space, this may trigger a heap buffer overflow.

Fix them by putting the length check before performing memcpy().

This fix addresses CVE-2019-14814,CVE-2019-14815,CVE-2019-14816.

Signed-off-by: Wen Huang <huangwenabc@gmail.com>
Acked-by: Ganapathi Bhat <gbhat@marvell.comg>
Signed-off-by: Kalle Valo <kvalo@codeaurora.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
drivers/net/wireless/marvell/mwifiex/ie.c
drivers/net/wireless/marvell/mwifiex/uap_cmd.c