diff options
Diffstat (limited to 'package/kernel/mac80211/patches/326-v4.14-0005-brcmfmac-Add-check-for-short-event-packets.patch')
-rw-r--r-- | package/kernel/mac80211/patches/326-v4.14-0005-brcmfmac-Add-check-for-short-event-packets.patch | 32 |
1 files changed, 32 insertions, 0 deletions
diff --git a/package/kernel/mac80211/patches/326-v4.14-0005-brcmfmac-Add-check-for-short-event-packets.patch b/package/kernel/mac80211/patches/326-v4.14-0005-brcmfmac-Add-check-for-short-event-packets.patch new file mode 100644 index 0000000000..27b3bcdfee --- /dev/null +++ b/package/kernel/mac80211/patches/326-v4.14-0005-brcmfmac-Add-check-for-short-event-packets.patch @@ -0,0 +1,32 @@ +From dd2349121bb1b8ff688c3ca6a2a0bea9d8c142ca Mon Sep 17 00:00:00 2001 +From: Kevin Cernekee <cernekee@chromium.org> +Date: Sat, 16 Sep 2017 21:08:24 -0700 +Subject: [PATCH] brcmfmac: Add check for short event packets + +The length of the data in the received skb is currently passed into +brcmf_fweh_process_event() as packet_len, but this value is not checked. +event_packet should be followed by DATALEN bytes of additional event +data. Ensure that the received packet actually contains at least +DATALEN bytes of additional data, to avoid copying uninitialized memory +into event->data. + +Cc: <stable@vger.kernel.org> # v3.8 +Suggested-by: Mattias Nissler <mnissler@chromium.org> +Signed-off-by: Kevin Cernekee <cernekee@chromium.org> +Signed-off-by: Kalle Valo <kvalo@codeaurora.org> +--- + drivers/net/wireless/broadcom/brcm80211/brcmfmac/fweh.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +--- a/drivers/net/wireless/broadcom/brcm80211/brcmfmac/fweh.c ++++ b/drivers/net/wireless/broadcom/brcm80211/brcmfmac/fweh.c +@@ -429,7 +429,8 @@ void brcmf_fweh_process_event(struct brc + if (code != BRCMF_E_IF && !fweh->evt_handler[code]) + return; + +- if (datalen > BRCMF_DCMD_MAXLEN) ++ if (datalen > BRCMF_DCMD_MAXLEN || ++ datalen + sizeof(*event_packet) > packet_len) + return; + + if (in_interrupt()) |