diff options
Diffstat (limited to 'package/kernel/mac80211/patches/319-0027-brcmfmac-fix-out-of-bound-access-on-clearing-wowl-wa.patch')
| -rw-r--r-- | package/kernel/mac80211/patches/319-0027-brcmfmac-fix-out-of-bound-access-on-clearing-wowl-wa.patch | 44 |
1 files changed, 0 insertions, 44 deletions
diff --git a/package/kernel/mac80211/patches/319-0027-brcmfmac-fix-out-of-bound-access-on-clearing-wowl-wa.patch b/package/kernel/mac80211/patches/319-0027-brcmfmac-fix-out-of-bound-access-on-clearing-wowl-wa.patch deleted file mode 100644 index 4a005d608a..0000000000 --- a/package/kernel/mac80211/patches/319-0027-brcmfmac-fix-out-of-bound-access-on-clearing-wowl-wa.patch +++ /dev/null @@ -1,44 +0,0 @@ -From a7ed7828ecda0c2b5e0d7f55dedd4230afd4b583 Mon Sep 17 00:00:00 2001 -From: Hante Meuleman <hante.meuleman@broadcom.com> -Date: Mon, 19 Sep 2016 12:09:58 +0100 -Subject: [PATCH] brcmfmac: fix out of bound access on clearing wowl wake - indicator - -Clearing the wowl wakeindicator happens with a rather odd -construction where the string "clear" is used to set the iovar -wowl_wakeind. This was implemented incorrectly as it caused an -out of bound access. Use an intermediate variable of correct -length and copy string in that. Problem was found using coverity. - -Reviewed-by: Arend Van Spriel <arend.vanspriel@broadcom.com> -Reviewed-by: Franky Lin <franky.lin@broadcom.com> -Reviewed-by: Pieter-Paul Giesberts <pieter-paul.giesberts@broadcom.com> -Signed-off-by: Hante Meuleman <hante.meuleman@broadcom.com> -Signed-off-by: Arend van Spriel <arend.vanspriel@broadcom.com> -Signed-off-by: Kalle Valo <kvalo@codeaurora.org> ---- - drivers/net/wireless/broadcom/brcm80211/brcmfmac/cfg80211.c | 6 ++++-- - 1 file changed, 4 insertions(+), 2 deletions(-) - ---- a/drivers/net/wireless/broadcom/brcm80211/brcmfmac/cfg80211.c -+++ b/drivers/net/wireless/broadcom/brcm80211/brcmfmac/cfg80211.c -@@ -3699,6 +3699,7 @@ static void brcmf_configure_wowl(struct - struct cfg80211_wowlan *wowl) - { - u32 wowl_config; -+ struct brcmf_wowl_wakeind_le wowl_wakeind; - u32 i; - - brcmf_dbg(TRACE, "Suspend, wowl config.\n"); -@@ -3740,8 +3741,9 @@ static void brcmf_configure_wowl(struct - if (!test_bit(BRCMF_VIF_STATUS_CONNECTED, &ifp->vif->sme_state)) - wowl_config |= BRCMF_WOWL_UNASSOC; - -- brcmf_fil_iovar_data_set(ifp, "wowl_wakeind", "clear", -- sizeof(struct brcmf_wowl_wakeind_le)); -+ memcpy(&wowl_wakeind, "clear", 6); -+ brcmf_fil_iovar_data_set(ifp, "wowl_wakeind", &wowl_wakeind, -+ sizeof(wowl_wakeind)); - brcmf_fil_iovar_int_set(ifp, "wowl", wowl_config); - brcmf_fil_iovar_int_set(ifp, "wowl_activate", 1); - brcmf_bus_wowl_config(cfg->pub->bus_if, true); |