diff options
author | Hauke Mehrtens <hauke@hauke-m.de> | 2022-10-15 11:31:42 +0200 |
---|---|---|
committer | Hauke Mehrtens <hauke@hauke-m.de> | 2022-10-23 22:45:02 +0200 |
commit | 00d7702796d922e4258b7acb6e6b88a93071eebe (patch) | |
tree | a15b7bcb56b82b9685b18adf9574b6a62dcbe435 /package/kernel/mac80211/patches/subsys/351-wifi-cfg80211-fix-u8-overflow-in-cfg80211_update_not.patch | |
parent | 7a3d5959afe8176d40b5e29feff227bfacfd6f80 (diff) | |
download | upstream-00d7702796d922e4258b7acb6e6b88a93071eebe.tar.gz upstream-00d7702796d922e4258b7acb6e6b88a93071eebe.tar.bz2 upstream-00d7702796d922e4258b7acb6e6b88a93071eebe.zip |
mac80211: Update to version 5.15.74-1
This updates mac80211 to version 5.15.74-1 which is based on kernel
5.15.74.
The removed patches were applied upstream.
Signed-off-by: Hauke Mehrtens <hauke@hauke-m.de>
(cherry picked from commit 58b65525f3165792a998fdb24fda11aa4097a7be)
Diffstat (limited to 'package/kernel/mac80211/patches/subsys/351-wifi-cfg80211-fix-u8-overflow-in-cfg80211_update_not.patch')
-rw-r--r-- | package/kernel/mac80211/patches/subsys/351-wifi-cfg80211-fix-u8-overflow-in-cfg80211_update_not.patch | 41 |
1 files changed, 0 insertions, 41 deletions
diff --git a/package/kernel/mac80211/patches/subsys/351-wifi-cfg80211-fix-u8-overflow-in-cfg80211_update_not.patch b/package/kernel/mac80211/patches/subsys/351-wifi-cfg80211-fix-u8-overflow-in-cfg80211_update_not.patch deleted file mode 100644 index 9e1f781367..0000000000 --- a/package/kernel/mac80211/patches/subsys/351-wifi-cfg80211-fix-u8-overflow-in-cfg80211_update_not.patch +++ /dev/null @@ -1,41 +0,0 @@ -From: Johannes Berg <johannes.berg@intel.com> -Date: Wed, 28 Sep 2022 21:56:15 +0200 -Subject: [PATCH] wifi: cfg80211: fix u8 overflow in - cfg80211_update_notlisted_nontrans() - -commit aebe9f4639b13a1f4e9a6b42cdd2e38c617b442d upstream. - -In the copy code of the elements, we do the following calculation -to reach the end of the MBSSID element: - - /* copy the IEs after MBSSID */ - cpy_len = mbssid[1] + 2; - -This looks fine, however, cpy_len is a u8, the same as mbssid[1], -so the addition of two can overflow. In this case the subsequent -memcpy() will overflow the allocated buffer, since it copies 256 -bytes too much due to the way the allocation and memcpy() sizes -are calculated. - -Fix this by using size_t for the cpy_len variable. - -This fixes CVE-2022-41674. - -Reported-by: Soenke Huster <shuster@seemoo.tu-darmstadt.de> -Tested-by: Soenke Huster <shuster@seemoo.tu-darmstadt.de> -Fixes: 0b8fb8235be8 ("cfg80211: Parsing of Multiple BSSID information in scanning") -Reviewed-by: Kees Cook <keescook@chromium.org> -Signed-off-by: Johannes Berg <johannes.berg@intel.com> ---- - ---- a/net/wireless/scan.c -+++ b/net/wireless/scan.c -@@ -2238,7 +2238,7 @@ cfg80211_update_notlisted_nontrans(struc - size_t new_ie_len; - struct cfg80211_bss_ies *new_ies; - const struct cfg80211_bss_ies *old; -- u8 cpy_len; -+ size_t cpy_len; - - lockdep_assert_held(&wiphy_to_rdev(wiphy)->bss_lock); - |