redonkable/remarkable-linux
redonkable/remarkable-linux
1
0
Fork 0
Code Releases Activity
remarkable-linux/drivers/net/wireless
History
Arend van Spriel 8f44c9a413 brcmfmac: fix possible buffer overflow in brcmf_cfg80211_mgmt_tx() 
The lower level nl80211 code in cfg80211 ensures that "len" is between
25 and NL80211_ATTR_FRAME (2304).  We subtract DOT11_MGMT_HDR_LEN (24) from
"len" so thats's max of 2280.  However, the action_frame->data[] buffer is
only BRCMF_FIL_ACTION_FRAME_SIZE (1800) bytes long so this memcpy() can
overflow.

	memcpy(action_frame->data, &buf[DOT11_MGMT_HDR_LEN],
	       le16_to_cpu(action_frame->len));

Cc: stable@vger.kernel.org # 3.9.x
Fixes: 18e2f61db3 ("brcmfmac: P2P action frame tx.")
Reported-by: "freenerguo(郭大兴)" <freenerguo@tencent.com>
Signed-off-by: Arend van Spriel <arend.vanspriel@broadcom.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
2017-07-12 08:29:56 -07:00
..
admtek networking: make skb_push & __skb_push return void pointers 2017-06-16 11:48:40 -04:00
ath ath9k: remove useless variable assignment in ath_mci_intr() 2017-06-28 19:56:36 +03:00
atmel networking: introduce and use skb_put_data() 2017-06-16 11:48:37 -04:00
broadcom brcmfmac: fix possible buffer overflow in brcmf_cfg80211_mgmt_tx() 2017-07-12 08:29:56 -07:00
cisco Merge git://git.kernel.org/pub/scm/linux/kernel/git/davem/net-next 2017-07-05 12:31:59 -07:00
intel Merge git://git.kernel.org/pub/scm/linux/kernel/git/davem/net-next 2017-07-05 12:31:59 -07:00
intersil Merge git://git.kernel.org/pub/scm/linux/kernel/git/davem/net-next 2017-07-05 12:31:59 -07:00
marvell pci-v4.13-changes 2017-07-08 15:51:57 -07:00
mediatek networking: make skb_push & __skb_push return void pointers 2017-06-16 11:48:40 -04:00
quantenna qtnfmac: fix uninitialized return code in ret 2017-06-28 20:50:12 +03:00
ralink networking: make skb_put & friends return void pointers 2017-06-16 11:48:39 -04:00
realtek rtlwifi: Add in_4way field for btcoexist 2017-06-28 20:51:01 +03:00
rsi rsi: add in missing RSI_FSM_STATES into array fsm_state 2017-06-28 20:54:14 +03:00
st cw1200: add const to hwbus_ops structures 2017-06-28 21:17:46 +03:00
ti wl18xx: add checks on wl18xx_top_reg_write() return value 2017-06-28 21:18:40 +03:00
zydas networking: make skb_push & __skb_push return void pointers 2017-06-16 11:48:40 -04:00
Kconfig qtnfmac: introduce new FullMAC driver for Quantenna chipsets 2017-05-24 17:04:13 +03:00
mac80211_hwsim.c networking: make skb_push & __skb_push return void pointers 2017-06-16 11:48:40 -04:00
mac80211_hwsim.h
Makefile qtnfmac: introduce new FullMAC driver for Quantenna chipsets 2017-05-24 17:04:13 +03:00
ray_cs.c ray_cs: Avoid reading past end of buffer 2017-05-22 18:27:22 +03:00
ray_cs.h
rayctl.h
rndis_wlan.c Another set of patches for -next: 2017-04-28 14:41:15 -04:00
wl3501.h
wl3501_cs.c