1 files changed, 0 insertions, 41 deletions

diff --git a/package/kernel/mac80211/patches/subsys/351-wifi-cfg80211-fix-u8-overflow-in-cfg80211_update_not.patch b/package/kernel/mac80211/patches/subsys/351-wifi-cfg80211-fix-u8-overflow-in-cfg80211_update_not.patch
deleted file mode 100644
index 9e1f781367..0000000000
--- a/package/kernel/mac80211/patches/subsys/351-wifi-cfg80211-fix-u8-overflow-in-cfg80211_update_not.patch
+++ /dev/null
@@ -1,41 +0,0 @@
-From: Johannes Berg <johannes.berg@intel.com>
-Date: Wed, 28 Sep 2022 21:56:15 +0200
-Subject: [PATCH] wifi: cfg80211: fix u8 overflow in
- cfg80211_update_notlisted_nontrans()
-
-commit aebe9f4639b13a1f4e9a6b42cdd2e38c617b442d upstream.
-
-In the copy code of the elements, we do the following calculation
-to reach the end of the MBSSID element:
-
-	/* copy the IEs after MBSSID */
-	cpy_len = mbssid[1] + 2;
-
-This looks fine, however, cpy_len is a u8, the same as mbssid[1],
-so the addition of two can overflow. In this case the subsequent
-memcpy() will overflow the allocated buffer, since it copies 256
-bytes too much due to the way the allocation and memcpy() sizes
-are calculated.
-
-Fix this by using size_t for the cpy_len variable.
-
-This fixes CVE-2022-41674.
-
-Reported-by: Soenke Huster <shuster@seemoo.tu-darmstadt.de>
-Tested-by: Soenke Huster <shuster@seemoo.tu-darmstadt.de>
-Fixes: 0b8fb8235be8 ("cfg80211: Parsing of Multiple BSSID information in scanning")
-Reviewed-by: Kees Cook <keescook@chromium.org>
-Signed-off-by: Johannes Berg <johannes.berg@intel.com>
----
-
---- a/net/wireless/scan.c
-+++ b/net/wireless/scan.c
-@@ -2238,7 +2238,7 @@ cfg80211_update_notlisted_nontrans(struc
- 	size_t new_ie_len;
- 	struct cfg80211_bss_ies *new_ies;
- 	const struct cfg80211_bss_ies *old;
--	u8 cpy_len;
-+	size_t cpy_len;
- 
- 	lockdep_assert_held(&wiphy_to_rdev(wiphy)->bss_lock);
-