Donate to e Foundation | Murena handsets with /e/OS | Own a part of Murena! Learn more

Skip to content
Commit 8a66a81b authored by Sudhir Kohalli's avatar Sudhir Kohalli Committed by Alexander Alexeev
Browse files

net: wireless: bcmdhd_xxx: Heap overflow in wl_run_escan. 



1) The default_chan_list buffer overflow is avoided by checking
n_nodfs index does not exceed num_chans, which is the length
of default_chan_list buffer.
2) The SSID length check 32(max limit) is done and then the SSID
name copied in extra buffer is null terminated. The extra buffer
is allocated a length of of 33 in wl_iw_ioctl.c.
3) Issue of chances of cumulative results->pkt_count length
exceeding allocated memory length of results->total_count is
avoided in this fix. change_array is the destination array
whose length is allocated to results->total_count.

Signed-off-by: default avatarSudhir Kohalli <sudhir.kohalli@broadcom.com>

Bug: 34197514
Bug: 34199963
Bug: 34198729

Change-Id: I0cd268ab696daac938a99f451607a3f4b2cfaed3
[haggertk]: Partial patch - dhd_handle_swc_evt() changes not relevant,
this bcmdhd version does not contain that function
CVE-2017-0568
CVE-2017-0569
CVE-2017-0570
Signed-off-by: default avatarKevin F. Haggerty <haggertk@lineageos.org>
parent 0c0f1fc7
Hide whitespace changes
Inline Side-by-side
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Please register or to comment