proxmox-mirrors/mirror_ubuntu-kernels
1
0
Fork 0
mirror of https://git.proxmox.com/git/mirror_ubuntu-kernels.git synced 2026-01-07 07:56:12 +00:00
Code Issues Actions Packages Projects Releases Wiki Activity
87891b01b5
mirror_ubuntu-kernels/drivers/net/wireless/broadcom
History
Arend van Spriel 8f44c9a413 brcmfmac: fix possible buffer overflow in brcmf_cfg80211_mgmt_tx() 
The lower level nl80211 code in cfg80211 ensures that "len" is between
25 and NL80211_ATTR_FRAME (2304).  We subtract DOT11_MGMT_HDR_LEN (24) from
"len" so thats's max of 2280.  However, the action_frame->data[] buffer is
only BRCMF_FIL_ACTION_FRAME_SIZE (1800) bytes long so this memcpy() can
overflow.

	memcpy(action_frame->data, &buf[DOT11_MGMT_HDR_LEN],
	       le16_to_cpu(action_frame->len));

Cc: stable@vger.kernel.org # 3.9.x
Fixes: 18e2f61db3 ("brcmfmac: P2P action frame tx.")
Reported-by: "freenerguo(郭大兴)" <freenerguo@tencent.com>
Signed-off-by: Arend van Spriel <arend.vanspriel@broadcom.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
2017-07-12 08:29:56 -07:00
..
b43 b43: Add missing MODULE_FIRMWARE() 2017-05-22 12:02:46 +03:00
b43legacy networking: introduce and use skb_put_data() 2017-06-16 11:48:37 -04:00
brcm80211 brcmfmac: fix possible buffer overflow in brcmf_cfg80211_mgmt_tx() 2017-07-12 08:29:56 -07:00
Kconfig brcm80211: move under broadcom vendor directory 2015-11-18 11:24:22 +02:00
Makefile brcm80211: move under broadcom vendor directory 2015-11-18 11:24:22 +02:00