Seth/kernel_amazon_mt8127-common
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
c2ace3043febefbd2fec2964eb5d8a2db99039a4
kernel_amazon_mt8127-common/drivers/net
T
History
Arend van Spriel 7136ca73ff brcmfmac: fix possible buffer overflow in brcmf_cfg80211_mgmt_tx() 
commit 8f44c9a41386729fea410e688959ddaa9d51be7c upstream.

The lower level nl80211 code in cfg80211 ensures that "len" is between
25 and NL80211_ATTR_FRAME (2304).  We subtract DOT11_MGMT_HDR_LEN (24) from
"len" so thats's max of 2280.  However, the action_frame->data[] buffer is
only BRCMF_FIL_ACTION_FRAME_SIZE (1800) bytes long so this memcpy() can
overflow.

	memcpy(action_frame->data, &buf[DOT11_MGMT_HDR_LEN],
	       le16_to_cpu(action_frame->len));

Cc: stable@vger.kernel.org # 3.9.x
Fixes: 18e2f61db3 ("brcmfmac: P2P action frame tx.")
Reported-by: "freenerguo(郭大兴)" <freenerguo@tencent.com>
Signed-off-by: Arend van Spriel <arend.vanspriel@broadcom.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
[wt: s/cfg80211.c/wl_cfg80211.c in 3.10]

Signed-off-by: Willy Tarreau <w@1wt.eu>
2017-11-01 22:12:43 +01:00
..
appletalk
arcnet
bonding
bonding: Fix bonding crash
2017-02-10 11:03:47 +01:00
caif
can
can: usb_8dev: Fix memory leak of priv->cmd_msg_buffer
2017-06-20 14:03:12 +02:00
cris
dsa
ethernet
igb: add i211 to i210 PHY workaround
2017-06-20 14:04:34 +02:00
fddi
hamradio
hippi
hyperv
netvsc: reduce maximum GSO size
2017-06-20 14:03:26 +02:00
ieee802154
irda
net: irda: Fix use-after-free in irtty_open()
2016-06-07 10:42:46 +02:00
phy
net: phy: handle state correctly in phy_stop_machine
2017-06-08 00:47:08 +02:00
plip
ppp
ppp: defer netns reference release for ppp channel
2017-02-06 09:04:07 +01:00
slip
ppp, slip: Validate VJ compression slot parameters completely
2016-01-28 21:49:35 -08:00
team
team: Replace rcu_read_lock with a mutex in team_vlan_rx_kill_vid
2016-01-28 21:49:35 -08:00
usb
catc: Use heap buffer for memory size test
2017-06-20 14:04:47 +02:00
vmxnet3
vmxnet3: Wake queue from reset work
2017-06-20 14:04:09 +02:00
wan
farsync: fix off-by-one bug in fst_add_one
2016-06-07 10:42:49 +02:00
wimax
wireless
brcmfmac: fix possible buffer overflow in brcmf_cfg80211_mgmt_tx()
2017-11-01 22:12:43 +01:00
xen-netback
xen-netback: use RING_COPY_REQUEST() throughout
2017-02-06 09:04:07 +01:00
dummy.c
eql.c
ifb.c
Kconfig
LICENSE.SRC
loopback.c
macvlan.c
macvtap.c
macvtap: read vnet_hdr_size once
2017-06-20 14:04:19 +02:00
Makefile
mdio.c
mii.c
netconsole.c
ntb_netdev.c
rionet.c
rapidio/rionet: fix deadlock on SMP
2016-06-07 10:42:47 +02:00
sb1000.c
Space.c
sungem_phy.c
tun.c
tun: read vnet_hdr_sz once
2017-06-20 14:04:54 +02:00
veth.c
veth: don’t modify ip_summed; doing so treats packets with bad checksums as good.
2016-01-28 21:49:32 -08:00
virtio_net.c
virtio-net: drop NETIF_F_FRAGLIST
2015-12-09 13:40:07 -05:00
vxlan.c
vxlan: correctly validate VXLAN ID against VXLAN_N_VID
2017-06-08 00:47:03 +02:00
xen-netfront.c