aboutsummaryrefslogtreecommitdiffstats
path: root/package/kernel/mac80211/patches/319-0017-brcmfmac-avoid-potential-stack-overflow-in-brcmf_cfg.patch
diff options
context:
space:
mode:
authorRafał Miłecki <rafal@milecki.pl>2016-09-27 06:58:01 +0200
committerRafał Miłecki <rafal@milecki.pl>2016-09-27 07:00:53 +0200
commit45b73af7f6020b1c3e3d7170d3b1ba86edabfc60 (patch)
treeba0ed4e91cff6d97c1a516f9d61d86438c0439fe /package/kernel/mac80211/patches/319-0017-brcmfmac-avoid-potential-stack-overflow-in-brcmf_cfg.patch
parent5b99693832d0307744ac16d29fb359b730fd86a3 (diff)
downloadupstream-45b73af7f6020b1c3e3d7170d3b1ba86edabfc60.tar.gz
upstream-45b73af7f6020b1c3e3d7170d3b1ba86edabfc60.tar.bz2
upstream-45b73af7f6020b1c3e3d7170d3b1ba86edabfc60.zip
mac80211: backport brcmfmac changes from 2016-09-26
All these patches are in wireless-drirvers-next. There is support for hidden SSID, few new devices and many fixes. Signed-off-by: Rafał Miłecki <rafal@milecki.pl>
Diffstat (limited to 'package/kernel/mac80211/patches/319-0017-brcmfmac-avoid-potential-stack-overflow-in-brcmf_cfg.patch')
-rw-r--r--package/kernel/mac80211/patches/319-0017-brcmfmac-avoid-potential-stack-overflow-in-brcmf_cfg.patch34
1 files changed, 34 insertions, 0 deletions
diff --git a/package/kernel/mac80211/patches/319-0017-brcmfmac-avoid-potential-stack-overflow-in-brcmf_cfg.patch b/package/kernel/mac80211/patches/319-0017-brcmfmac-avoid-potential-stack-overflow-in-brcmf_cfg.patch
new file mode 100644
index 0000000000..a56dd72c46
--- /dev/null
+++ b/package/kernel/mac80211/patches/319-0017-brcmfmac-avoid-potential-stack-overflow-in-brcmf_cfg.patch
@@ -0,0 +1,34 @@
+From ded89912156b1a47d940a0c954c43afbabd0c42c Mon Sep 17 00:00:00 2001
+From: Arend Van Spriel <arend.vanspriel@broadcom.com>
+Date: Mon, 5 Sep 2016 10:45:47 +0100
+Subject: [PATCH] brcmfmac: avoid potential stack overflow in
+ brcmf_cfg80211_start_ap()
+
+User-space can choose to omit NL80211_ATTR_SSID and only provide raw
+IE TLV data. When doing so it can provide SSID IE with length exceeding
+the allowed size. The driver further processes this IE copying it
+into a local variable without checking the length. Hence stack can be
+corrupted and used as exploit.
+
+Cc: stable@vger.kernel.org # v4.7
+Reported-by: Daxing Guo <freener.gdx@gmail.com>
+Reviewed-by: Hante Meuleman <hante.meuleman@broadcom.com>
+Reviewed-by: Pieter-Paul Giesberts <pieter-paul.giesberts@broadcom.com>
+Reviewed-by: Franky Lin <franky.lin@broadcom.com>
+Signed-off-by: Arend van Spriel <arend.vanspriel@broadcom.com>
+Signed-off-by: Kalle Valo <kvalo@codeaurora.org>
+---
+ drivers/net/wireless/broadcom/brcm80211/brcmfmac/cfg80211.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/drivers/net/wireless/broadcom/brcm80211/brcmfmac/cfg80211.c
++++ b/drivers/net/wireless/broadcom/brcm80211/brcmfmac/cfg80211.c
+@@ -4523,7 +4523,7 @@ brcmf_cfg80211_start_ap(struct wiphy *wi
+ (u8 *)&settings->beacon.head[ie_offset],
+ settings->beacon.head_len - ie_offset,
+ WLAN_EID_SSID);
+- if (!ssid_ie)
++ if (!ssid_ie || ssid_ie->len > IEEE80211_MAX_SSID_LEN)
+ return -EINVAL;
+
+ memcpy(ssid_le.SSID, ssid_ie->data, ssid_ie->len);
generated by cgit v1.2.3 (git 2.25.1) at 2025-01-06 14:04:43 +0000