aboutsummaryrefslogtreecommitdiffstats
path: root/package/kernel/mac80211/patches/326-v4.14-0005-brcmfmac-Add-check-for-short-event-packets.patch
diff options
context:
space:
mode:
Diffstat (limited to 'package/kernel/mac80211/patches/326-v4.14-0005-brcmfmac-Add-check-for-short-event-packets.patch')
-rw-r--r--package/kernel/mac80211/patches/326-v4.14-0005-brcmfmac-Add-check-for-short-event-packets.patch32
1 files changed, 32 insertions, 0 deletions
diff --git a/package/kernel/mac80211/patches/326-v4.14-0005-brcmfmac-Add-check-for-short-event-packets.patch b/package/kernel/mac80211/patches/326-v4.14-0005-brcmfmac-Add-check-for-short-event-packets.patch
new file mode 100644
index 0000000000..27b3bcdfee
--- /dev/null
+++ b/package/kernel/mac80211/patches/326-v4.14-0005-brcmfmac-Add-check-for-short-event-packets.patch
@@ -0,0 +1,32 @@
+From dd2349121bb1b8ff688c3ca6a2a0bea9d8c142ca Mon Sep 17 00:00:00 2001
+From: Kevin Cernekee <cernekee@chromium.org>
+Date: Sat, 16 Sep 2017 21:08:24 -0700
+Subject: [PATCH] brcmfmac: Add check for short event packets
+
+The length of the data in the received skb is currently passed into
+brcmf_fweh_process_event() as packet_len, but this value is not checked.
+event_packet should be followed by DATALEN bytes of additional event
+data. Ensure that the received packet actually contains at least
+DATALEN bytes of additional data, to avoid copying uninitialized memory
+into event->data.
+
+Cc: <stable@vger.kernel.org> # v3.8
+Suggested-by: Mattias Nissler <mnissler@chromium.org>
+Signed-off-by: Kevin Cernekee <cernekee@chromium.org>
+Signed-off-by: Kalle Valo <kvalo@codeaurora.org>
+---
+ drivers/net/wireless/broadcom/brcm80211/brcmfmac/fweh.c | 3 ++-
+ 1 file changed, 2 insertions(+), 1 deletion(-)
+
+--- a/drivers/net/wireless/broadcom/brcm80211/brcmfmac/fweh.c
++++ b/drivers/net/wireless/broadcom/brcm80211/brcmfmac/fweh.c
+@@ -429,7 +429,8 @@ void brcmf_fweh_process_event(struct brc
+ if (code != BRCMF_E_IF && !fweh->evt_handler[code])
+ return;
+
+- if (datalen > BRCMF_DCMD_MAXLEN)
++ if (datalen > BRCMF_DCMD_MAXLEN ||
++ datalen + sizeof(*event_packet) > packet_len)
+ return;
+
+ if (in_interrupt())