Donate to e Foundation | Murena handsets with /e/OS | Own a part of Murena! Learn more

Skip to content
Unverified Commit a8fd3f64 authored by Arend van Spriel's avatar Arend van Spriel Committed by Harsh Shandilya
Browse files

brcmfmac: fix possible buffer overflow in brcmf_cfg80211_mgmt_tx() 



commit 8f44c9a41386729fea410e688959ddaa9d51be7c upstream.

The lower level nl80211 code in cfg80211 ensures that "len" is between
25 and NL80211_ATTR_FRAME (2304).  We subtract DOT11_MGMT_HDR_LEN (24) from
"len" so thats's max of 2280.  However, the action_frame->data[] buffer is
only BRCMF_FIL_ACTION_FRAME_SIZE (1800) bytes long so this memcpy() can
overflow.

	memcpy(action_frame->data, &buf[DOT11_MGMT_HDR_LEN],
	       le16_to_cpu(action_frame->len));

Cc: stable@vger.kernel.org # 3.9.x
Fixes: 18e2f61d ("brcmfmac: P2P action frame tx.")
Reported-by: default avatar"freenerguo(郭大兴)" <freenerguo@tencent.com>
Signed-off-by: default avatarArend van Spriel <arend.vanspriel@broadcom.com>
Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
[wt: s/cfg80211.c/wl_cfg80211.c in 3.10]

Signed-off-by: default avatarWilly Tarreau <w@1wt.eu>
parent a2e6659a
Hide whitespace changes
Inline Side-by-side
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Please register or to comment