diff options
| author | Hauke Mehrtens <hauke@hauke-m.de> | 2019-07-07 00:08:20 +0200 |
|---|---|---|
| committer | Petr Štetiar <ynezz@true.cz> | 2019-07-18 00:22:04 +0200 |
| commit | 0b2c42ced21a7bc053e0d729f85041f1e3b54fbc (patch) | |
| tree | 5b461df94bf6d46f2700310b3d27a7b5c39e3728 /package/kernel/mac80211/patches/brcm/373-v5.2-brcm80211-potential-NULL-dereference-in-brcmf_cfg802.patch | |
| parent | d616b2c906690d2e471144ca12b0a9ed28de21c2 (diff) | |
| download | upstream-0b2c42ced21a7bc053e0d729f85041f1e3b54fbc.tar.gz upstream-0b2c42ced21a7bc053e0d729f85041f1e3b54fbc.tar.bz2 upstream-0b2c42ced21a7bc053e0d729f85041f1e3b54fbc.zip | |
mac80211: Update to version 5.2-rc7
This updates mac80211 to version 5.2-rc7, this contains all the changes
to the wireless subsystem up to Linux 5.2-rc7.
* The removed patches are applied upstream
* b43 now uses kmod-lib-cordic
* Update the nl80211.h file in iw to match backports version.
* Remove the two backports from kernel 4.9, they were needed for mt76,
but that can use the version from backports now, otherwise they
collide and cause compile errors.
Signed-off-by: Hauke Mehrtens <hauke@hauke-m.de>
Diffstat (limited to 'package/kernel/mac80211/patches/brcm/373-v5.2-brcm80211-potential-NULL-dereference-in-brcmf_cfg802.patch')
| -rw-r--r-- | package/kernel/mac80211/patches/brcm/373-v5.2-brcm80211-potential-NULL-dereference-in-brcmf_cfg802.patch | 50 |
1 files changed, 0 insertions, 50 deletions
diff --git a/package/kernel/mac80211/patches/brcm/373-v5.2-brcm80211-potential-NULL-dereference-in-brcmf_cfg802.patch b/package/kernel/mac80211/patches/brcm/373-v5.2-brcm80211-potential-NULL-dereference-in-brcmf_cfg802.patch deleted file mode 100644 index b4d56c34bc..0000000000 --- a/package/kernel/mac80211/patches/brcm/373-v5.2-brcm80211-potential-NULL-dereference-in-brcmf_cfg802.patch +++ /dev/null @@ -1,50 +0,0 @@ -From e025da3d7aa4770bb1d1b3b0aa7cc4da1744852d Mon Sep 17 00:00:00 2001 -From: Dan Carpenter <dan.carpenter@oracle.com> -Date: Wed, 24 Apr 2019 12:52:18 +0300 -Subject: [PATCH] brcm80211: potential NULL dereference in - brcmf_cfg80211_vndr_cmds_dcmd_handler() - -If "ret_len" is negative then it could lead to a NULL dereference. - -The "ret_len" value comes from nl80211_vendor_cmd(), if it's negative -then we don't allocate the "dcmd_buf" buffer. Then we pass "ret_len" to -brcmf_fil_cmd_data_set() where it is cast to a very high u32 value. -Most of the functions in that call tree check whether the buffer we pass -is NULL but there are at least a couple places which don't such as -brcmf_dbg_hex_dump() and brcmf_msgbuf_query_dcmd(). We memcpy() to and -from the buffer so it would result in a NULL dereference. - -The fix is to change the types so that "ret_len" can't be negative. (If -we memcpy() zero bytes to NULL, that's a no-op and doesn't cause an -issue). - -Fixes: 1bacb0487d0e ("brcmfmac: replace cfg80211 testmode with vendor command") -Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com> -Signed-off-by: Kalle Valo <kvalo@codeaurora.org> ---- - drivers/net/wireless/broadcom/brcm80211/brcmfmac/vendor.c | 5 +++-- - 1 file changed, 3 insertions(+), 2 deletions(-) - ---- a/drivers/net/wireless/broadcom/brcm80211/brcmfmac/vendor.c -+++ b/drivers/net/wireless/broadcom/brcm80211/brcmfmac/vendor.c -@@ -35,9 +35,10 @@ static int brcmf_cfg80211_vndr_cmds_dcmd - struct brcmf_if *ifp; - const struct brcmf_vndr_dcmd_hdr *cmdhdr = data; - struct sk_buff *reply; -- int ret, payload, ret_len; -+ unsigned int payload, ret_len; - void *dcmd_buf = NULL, *wr_pointer; - u16 msglen, maxmsglen = PAGE_SIZE - 0x100; -+ int ret; - - if (len < sizeof(*cmdhdr)) { - brcmf_err("vendor command too short: %d\n", len); -@@ -65,7 +66,7 @@ static int brcmf_cfg80211_vndr_cmds_dcmd - brcmf_err("oversize return buffer %d\n", ret_len); - ret_len = BRCMF_DCMD_MAXLEN; - } -- payload = max(ret_len, len) + 1; -+ payload = max_t(unsigned int, ret_len, len) + 1; - dcmd_buf = vzalloc(payload); - if (NULL == dcmd_buf) - return -ENOMEM; |