1 files changed, 35 insertions, 0 deletions

diff --git a/0001-mwifiex-Fix-possible-buffer-overflows-in-mwifiex_cmd.patch b/0001-mwifiex-Fix-possible-buffer-overflows-in-mwifiex_cmd.patch
new file mode 100644
index 000000000..48ef5911c
--- /dev/null
+++ b/0001-mwifiex-Fix-possible-buffer-overflows-in-mwifiex_cmd.patch
@@ -0,0 +1,35 @@
+From 5c455c5ab332773464d02ba17015acdca198f03d Mon Sep 17 00:00:00 2001
+From: Zhang Xiaohui <ruc_zhangxiaohui@163.com>
+Date: Sun, 6 Dec 2020 16:48:01 +0800
+Subject: [PATCH] mwifiex: Fix possible buffer overflows in
+ mwifiex_cmd_802_11_ad_hoc_start
+
+mwifiex_cmd_802_11_ad_hoc_start() calls memcpy() without checking
+the destination size may trigger a buffer overflower,
+which a local user could use to cause denial of service
+or the execution of arbitrary code.
+Fix it by putting the length check before calling memcpy().
+
+Signed-off-by: Zhang Xiaohui <ruc_zhangxiaohui@163.com>
+Signed-off-by: Kalle Valo <kvalo@codeaurora.org>
+Link: https://lore.kernel.org/r/20201206084801.26479-1-ruc_zhangxiaohui@163.com
+---
+ drivers/net/wireless/marvell/mwifiex/join.c | 2 ++
+ 1 file changed, 2 insertions(+)
+
+diff --git a/drivers/net/wireless/marvell/mwifiex/join.c b/drivers/net/wireless/marvell/mwifiex/join.c
+index 5934f7147547..173ccf79cbfc 100644
+--- a/drivers/net/wireless/marvell/mwifiex/join.c
++++ b/drivers/net/wireless/marvell/mwifiex/join.c
+@@ -877,6 +877,8 @@ mwifiex_cmd_802_11_ad_hoc_start(struct mwifiex_private *priv,
+
+ 	memset(adhoc_start->ssid, 0, IEEE80211_MAX_SSID_LEN);
+
++	if (req_ssid->ssid_len > IEEE80211_MAX_SSID_LEN)
++		req_ssid->ssid_len = IEEE80211_MAX_SSID_LEN;
+ 	memcpy(adhoc_start->ssid, req_ssid->ssid, req_ssid->ssid_len);
+
+ 	mwifiex_dbg(adapter, INFO, "info: ADHOC_S_CMD: SSID = %s\n",
+-- 
+2.29.2
+