projects / GitHub / mt8127 / android_kernel_alcatel_ttab.git / commit
? search:
summary | shortlog | log | commit | commitdiff | tree
(parent: fe7e554) | patch
brcmfmac: fix possible buffer overflow in brcmf_cfg80211_mgmt_tx()
authorArend van Spriel <arend.vanspriel@broadcom.com>
Fri, 7 Jul 2017 20:09:06 +0000 (21:09 +0100)
committerWilly Tarreau <w@1wt.eu>
Wed, 1 Nov 2017 21:12:43 +0000 (22:12 +0100)
commit7136ca73ff3496758b56f60b6fe76d675e69cd21
treebb3de139789def4cfc1a812226c57deb70c6499etree | snapshot (tar.gz zip)
parentfe7e5549d05c83b2ffd4cad1eec2156f03f859d2commit | diff
brcmfmac: fix possible buffer overflow in brcmf_cfg80211_mgmt_tx()

commit 8f44c9a41386729fea410e688959ddaa9d51be7c upstream.

The lower level nl80211 code in cfg80211 ensures that "len" is between
25 and NL80211_ATTR_FRAME (2304).  We subtract DOT11_MGMT_HDR_LEN (24) from
"len" so thats's max of 2280.  However, the action_frame->data[] buffer is
only BRCMF_FIL_ACTION_FRAME_SIZE (1800) bytes long so this memcpy() can
overflow.

memcpy(action_frame->data, &buf[DOT11_MGMT_HDR_LEN],
       le16_to_cpu(action_frame->len));

Cc: stable@vger.kernel.org # 3.9.x
Fixes: 18e2f61db3b70 ("brcmfmac: P2P action frame tx.")
Reported-by: "freenerguo(郭大兴)" <freenerguo@tencent.com>
Signed-off-by: Arend van Spriel <arend.vanspriel@broadcom.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
[wt: s/cfg80211.c/wl_cfg80211.c in 3.10]

Signed-off-by: Willy Tarreau <w@1wt.eu>
drivers/net/wireless/brcm80211/brcmfmac/wl_cfg80211.c diff | blob | blame | history
kernel source for telekom puls (alcatel/mediatek)