diff options
author | Zoltan Herpai <wigyori@uid0.hu> | 2016-09-29 15:49:20 +0200 |
---|---|---|
committer | GitHub <noreply@github.com> | 2016-09-29 15:49:20 +0200 |
commit | ca3f1a614a1ee90fc67188b375888517f0c151df (patch) | |
tree | 930c456200793be1ec731e819aa0dd2e4b0b0dbf /package/kernel/mac80211/patches/351-0036-brcmfmac-avoid-potential-stack-overflow-in-brcmf_cfg.patch | |
parent | d6b3ca24c50047af58135ad3090f7a3a25eee35d (diff) | |
parent | f9755e28776fdce0c2136492b43380d0eefe3c5a (diff) | |
download | upstream-ca3f1a614a1ee90fc67188b375888517f0c151df.tar.gz upstream-ca3f1a614a1ee90fc67188b375888517f0c151df.tar.bz2 upstream-ca3f1a614a1ee90fc67188b375888517f0c151df.zip |
Merge pull request #105 from wigyori/chaos_calmer
CC: openssl security upgrade, sync updates from git.openwrt.org/chaos_calmer
Diffstat (limited to 'package/kernel/mac80211/patches/351-0036-brcmfmac-avoid-potential-stack-overflow-in-brcmf_cfg.patch')
-rw-r--r-- | package/kernel/mac80211/patches/351-0036-brcmfmac-avoid-potential-stack-overflow-in-brcmf_cfg.patch | 34 |
1 files changed, 34 insertions, 0 deletions
diff --git a/package/kernel/mac80211/patches/351-0036-brcmfmac-avoid-potential-stack-overflow-in-brcmf_cfg.patch b/package/kernel/mac80211/patches/351-0036-brcmfmac-avoid-potential-stack-overflow-in-brcmf_cfg.patch new file mode 100644 index 0000000000..760b6daf25 --- /dev/null +++ b/package/kernel/mac80211/patches/351-0036-brcmfmac-avoid-potential-stack-overflow-in-brcmf_cfg.patch @@ -0,0 +1,34 @@ +From ded89912156b1a47d940a0c954c43afbabd0c42c Mon Sep 17 00:00:00 2001 +From: Arend Van Spriel <arend.vanspriel@broadcom.com> +Date: Mon, 5 Sep 2016 10:45:47 +0100 +Subject: [PATCH] brcmfmac: avoid potential stack overflow in + brcmf_cfg80211_start_ap() + +User-space can choose to omit NL80211_ATTR_SSID and only provide raw +IE TLV data. When doing so it can provide SSID IE with length exceeding +the allowed size. The driver further processes this IE copying it +into a local variable without checking the length. Hence stack can be +corrupted and used as exploit. + +Cc: stable@vger.kernel.org # v4.7 +Reported-by: Daxing Guo <freener.gdx@gmail.com> +Reviewed-by: Hante Meuleman <hante.meuleman@broadcom.com> +Reviewed-by: Pieter-Paul Giesberts <pieter-paul.giesberts@broadcom.com> +Reviewed-by: Franky Lin <franky.lin@broadcom.com> +Signed-off-by: Arend van Spriel <arend.vanspriel@broadcom.com> +Signed-off-by: Kalle Valo <kvalo@codeaurora.org> +--- + drivers/net/wireless/broadcom/brcm80211/brcmfmac/cfg80211.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/drivers/net/wireless/broadcom/brcm80211/brcmfmac/cfg80211.c ++++ b/drivers/net/wireless/broadcom/brcm80211/brcmfmac/cfg80211.c +@@ -4447,7 +4447,7 @@ brcmf_cfg80211_start_ap(struct wiphy *wi + (u8 *)&settings->beacon.head[ie_offset], + settings->beacon.head_len - ie_offset, + WLAN_EID_SSID); +- if (!ssid_ie) ++ if (!ssid_ie || ssid_ie->len > IEEE80211_MAX_SSID_LEN) + return -EINVAL; + + memcpy(ssid_le.SSID, ssid_ie->data, ssid_ie->len); |