diff options
| author | Felix Fietkau <nbd@nbd.name> | 2016-10-08 13:53:14 +0200 |
|---|---|---|
| committer | Felix Fietkau <nbd@nbd.name> | 2016-10-13 17:06:03 +0200 |
| commit | ad51e09fd1301484820a466a49447a34d7504882 (patch) | |
| tree | 06d56b89cf8709b0e9ca63528f8efc411089ddf5 /package/kernel/mac80211/patches/319-0017-brcmfmac-avoid-potential-stack-overflow-in-brcmf_cfg.patch | |
| parent | 4379bcb1b4b73fb8487a14bec9554a17d4726e35 (diff) | |
| download | upstream-ad51e09fd1301484820a466a49447a34d7504882.tar.gz upstream-ad51e09fd1301484820a466a49447a34d7504882.tar.bz2 upstream-ad51e09fd1301484820a466a49447a34d7504882.zip | |
mac80211: update to wireless-testing 2016-10-08
Signed-off-by: Felix Fietkau <nbd@nbd.name>
Diffstat (limited to 'package/kernel/mac80211/patches/319-0017-brcmfmac-avoid-potential-stack-overflow-in-brcmf_cfg.patch')
| -rw-r--r-- | package/kernel/mac80211/patches/319-0017-brcmfmac-avoid-potential-stack-overflow-in-brcmf_cfg.patch | 34 |
1 files changed, 0 insertions, 34 deletions
diff --git a/package/kernel/mac80211/patches/319-0017-brcmfmac-avoid-potential-stack-overflow-in-brcmf_cfg.patch b/package/kernel/mac80211/patches/319-0017-brcmfmac-avoid-potential-stack-overflow-in-brcmf_cfg.patch deleted file mode 100644 index a56dd72c46..0000000000 --- a/package/kernel/mac80211/patches/319-0017-brcmfmac-avoid-potential-stack-overflow-in-brcmf_cfg.patch +++ /dev/null @@ -1,34 +0,0 @@ -From ded89912156b1a47d940a0c954c43afbabd0c42c Mon Sep 17 00:00:00 2001 -From: Arend Van Spriel <arend.vanspriel@broadcom.com> -Date: Mon, 5 Sep 2016 10:45:47 +0100 -Subject: [PATCH] brcmfmac: avoid potential stack overflow in - brcmf_cfg80211_start_ap() - -User-space can choose to omit NL80211_ATTR_SSID and only provide raw -IE TLV data. When doing so it can provide SSID IE with length exceeding -the allowed size. The driver further processes this IE copying it -into a local variable without checking the length. Hence stack can be -corrupted and used as exploit. - -Cc: stable@vger.kernel.org # v4.7 -Reported-by: Daxing Guo <freener.gdx@gmail.com> -Reviewed-by: Hante Meuleman <hante.meuleman@broadcom.com> -Reviewed-by: Pieter-Paul Giesberts <pieter-paul.giesberts@broadcom.com> -Reviewed-by: Franky Lin <franky.lin@broadcom.com> -Signed-off-by: Arend van Spriel <arend.vanspriel@broadcom.com> -Signed-off-by: Kalle Valo <kvalo@codeaurora.org> ---- - drivers/net/wireless/broadcom/brcm80211/brcmfmac/cfg80211.c | 2 +- - 1 file changed, 1 insertion(+), 1 deletion(-) - ---- a/drivers/net/wireless/broadcom/brcm80211/brcmfmac/cfg80211.c -+++ b/drivers/net/wireless/broadcom/brcm80211/brcmfmac/cfg80211.c -@@ -4523,7 +4523,7 @@ brcmf_cfg80211_start_ap(struct wiphy *wi - (u8 *)&settings->beacon.head[ie_offset], - settings->beacon.head_len - ie_offset, - WLAN_EID_SSID); -- if (!ssid_ie) -+ if (!ssid_ie || ssid_ie->len > IEEE80211_MAX_SSID_LEN) - return -EINVAL; - - memcpy(ssid_le.SSID, ssid_ie->data, ssid_ie->len); |