Donate to e Foundation | Murena handsets with /e/OS | Own a part of Murena! Learn more

Skip to content
Commit 782de7d5 authored by Insun Song's avatar Insun Song Committed by Alexander Alexeev
Browse files

net: wireless: bcmdhd_xxx: adding boudary check in wl_escan_handler 



WLC_E_ESCAN_RESULT event could be manipulated especially two length field
inside, one is for escan_result buffer length and another one is
bss_info length, the forged fields may bypass current length check and
corrupt kernel heap memory.

so added checking validation for two length fields in WLC_E_ESCAN_RESULT
event.

Signed-off-by: default avatarInsun Song <insun.song@broadcom.com>
Bug: 37351060
Change-Id: I31e9fccc48fc06278fb3a87a76ef7337296c2b0d
CVE-2017-0786
Signed-off-by: default avatarKevin F. Haggerty <haggertk@lineageos.org>
parent 37dbd9e9
Hide whitespace changes
Inline Side-by-side
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Please register or to comment