diff options
author | Thorsten Leemhuis <fedora@leemhuis.info> | 2021-01-07 05:40:45 +0100 |
---|---|---|
committer | Thorsten Leemhuis <fedora@leemhuis.info> | 2021-01-07 05:40:45 +0100 |
commit | 6caba9ba76a7f8bdee939573e03da2c224ab2598 (patch) | |
tree | a47940262ae3cad007dc49d2494d8201395425dd /0001-mwifiex-Fix-possible-buffer-overflows-in-mwifiex_cmd.patch | |
parent | 05f182f99b79893ebecc7866410038eb70ff188a (diff) | |
parent | bcf7511badf20cdf8af0fa354502a8560b4d4caf (diff) | |
download | kernel-6caba9ba76a7f8bdee939573e03da2c224ab2598.tar.gz kernel-6caba9ba76a7f8bdee939573e03da2c224ab2598.tar.xz kernel-6caba9ba76a7f8bdee939573e03da2c224ab2598.zip |
Merge remote-tracking branch 'origin/stabilization' into stabilization-user-thl-vanilla-fedora
Diffstat (limited to '0001-mwifiex-Fix-possible-buffer-overflows-in-mwifiex_cmd.patch')
-rw-r--r-- | 0001-mwifiex-Fix-possible-buffer-overflows-in-mwifiex_cmd.patch | 35 |
1 files changed, 35 insertions, 0 deletions
diff --git a/0001-mwifiex-Fix-possible-buffer-overflows-in-mwifiex_cmd.patch b/0001-mwifiex-Fix-possible-buffer-overflows-in-mwifiex_cmd.patch new file mode 100644 index 000000000..48ef5911c --- /dev/null +++ b/0001-mwifiex-Fix-possible-buffer-overflows-in-mwifiex_cmd.patch @@ -0,0 +1,35 @@ +From 5c455c5ab332773464d02ba17015acdca198f03d Mon Sep 17 00:00:00 2001 +From: Zhang Xiaohui <ruc_zhangxiaohui@163.com> +Date: Sun, 6 Dec 2020 16:48:01 +0800 +Subject: [PATCH] mwifiex: Fix possible buffer overflows in + mwifiex_cmd_802_11_ad_hoc_start + +mwifiex_cmd_802_11_ad_hoc_start() calls memcpy() without checking +the destination size may trigger a buffer overflower, +which a local user could use to cause denial of service +or the execution of arbitrary code. +Fix it by putting the length check before calling memcpy(). + +Signed-off-by: Zhang Xiaohui <ruc_zhangxiaohui@163.com> +Signed-off-by: Kalle Valo <kvalo@codeaurora.org> +Link: https://lore.kernel.org/r/20201206084801.26479-1-ruc_zhangxiaohui@163.com +--- + drivers/net/wireless/marvell/mwifiex/join.c | 2 ++ + 1 file changed, 2 insertions(+) + +diff --git a/drivers/net/wireless/marvell/mwifiex/join.c b/drivers/net/wireless/marvell/mwifiex/join.c +index 5934f7147547..173ccf79cbfc 100644 +--- a/drivers/net/wireless/marvell/mwifiex/join.c ++++ b/drivers/net/wireless/marvell/mwifiex/join.c +@@ -877,6 +877,8 @@ mwifiex_cmd_802_11_ad_hoc_start(struct mwifiex_private *priv, + + memset(adhoc_start->ssid, 0, IEEE80211_MAX_SSID_LEN); + ++ if (req_ssid->ssid_len > IEEE80211_MAX_SSID_LEN) ++ req_ssid->ssid_len = IEEE80211_MAX_SSID_LEN; + memcpy(adhoc_start->ssid, req_ssid->ssid, req_ssid->ssid_len); + + mwifiex_dbg(adapter, INFO, "info: ADHOC_S_CMD: SSID = %s\n", +-- +2.29.2 + |