www.infradead.org Git - users/jedix/linux-maple.git/commit

author	Tim Tianyang Chen <tianyang.chen@oracle.com>
	Thu, 28 Sep 2017 21:11:57 +0000 (14:11 -0700)
committer	Chuck Anderson <chuck.anderson@oracle.com>
	Fri, 6 Oct 2017 03:36:37 +0000 (20:36 -0700)
commit	275f8cb025b32be82b2f6bb35dc15948892c5edd
tree	2a50d23d264236a94985d2c22c4382777c6d4536	tree
parent	2797e60e4d498e4edf5ecd52cd55774c8a508080	commit \| diff

brcmfmac: fix possible buffer overflow in brcmf_cfg80211_mgmt_tx()

The lower level nl80211 code in cfg80211 ensures that "len" is between
25 and NL80211_ATTR_FRAME (2304).  We subtract DOT11_MGMT_HDR_LEN (24) from
"len" so thats's max of 2280.  However, the action_frame->data[] buffer is
only BRCMF_FIL_ACTION_FRAME_SIZE (1800) bytes long so this memcpy() can
overflow.

    memcpy(action_frame->data, &buf[DOT11_MGMT_HDR_LEN],
           le16_to_cpu(action_frame->len));

Cc: stable@vger.kernel.org # 3.9.x
Fixes: 18e2f61db3b70 ("brcmfmac: P2P action frame tx.")
Reported-by: "freenerguo(郭大兴)" <freenerguo@tencent.com>
Signed-off-by: Arend van Spriel <arend.vanspriel@broadcom.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
(cherry picked from commit 8f44c9a41386729fea410e688959ddaa9d51be7c)

Orabug: 26540118
CVE: CVE-2017-7541

Signed-off-by: Tim Tianyang Chen <tianyang.chen@oracle.com>
Reviewed-by: Kirtikar Kashyap <kirtikar.kashyap@oracle.com>
cfg80211.c is in a different directory.
Conflicts:
    drivers/net/wireless/broadcom/brcm80211/brcmfmac/cfg80211.c