diff options
| author | Arend van Spriel <arend.vanspriel@broadcom.com> | 2017-07-07 21:09:06 +0100 |
|---|---|---|
| committer | Moyster <oysterized@gmail.com> | 2017-08-12 15:26:29 +0200 |
| commit | f6e3d8ca0e9a3055c483a4c25ee9afe54359a4f4 (patch) | |
| tree | 734de669f99bc3c32db0a7d2b59ac9657816ed96 /include/linux/dynamic_debug.h | |
| parent | e0515277369755758258197cae70ed47ffbb76d5 (diff) | |
UPSTREAM: brcmfmac: fix possible buffer overflow in brcmf_cfg80211_mgmt_tx()
commit 8f44c9a41386729fea410e688959ddaa9d51be7c upstream.
The lower level nl80211 code in cfg80211 ensures that "len" is between
25 and NL80211_ATTR_FRAME (2304). We subtract DOT11_MGMT_HDR_LEN (24) from
"len" so thats's max of 2280. However, the action_frame->data[] buffer is
only BRCMF_FIL_ACTION_FRAME_SIZE (1800) bytes long so this memcpy() can
overflow.
memcpy(action_frame->data, &buf[DOT11_MGMT_HDR_LEN],
le16_to_cpu(action_frame->len));
(cherry picked from commit ae10cf5c80b897b3a46ef1bdf77a52dd84bd336d)
Bug: 64258073
Fixes: 18e2f61db3b70 ("brcmfmac: P2P action frame tx.")
Reported-by: "freenerguo(郭大兴)" <freenerguo@tencent.com>
Signed-off-by: Arend van Spriel <arend.vanspriel@broadcom.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Change-Id: Iec2e6c99d113ef95127525a92336b6ccdbd10cb8
Diffstat (limited to 'include/linux/dynamic_debug.h')
0 files changed, 0 insertions, 0 deletions