[PATCH 2/2] brcmfmac: assure SSID length from firmware is limited
Tyler Hicks
tyhicks at canonical.com
Thu Apr 18 07:18:22 UTC 2019
From: Arend van Spriel <arend.vanspriel at broadcom.com>
The SSID length as received from firmware should not exceed
IEEE80211_MAX_SSID_LEN as that would result in heap overflow.
Reviewed-by: Hante Meuleman <hante.meuleman at broadcom.com>
Reviewed-by: Pieter-Paul Giesberts <pieter-paul.giesberts at broadcom.com>
Reviewed-by: Franky Lin <franky.lin at broadcom.com>
Signed-off-by: Arend van Spriel <arend.vanspriel at broadcom.com>
Signed-off-by: Kalle Valo <kvalo at codeaurora.org>
CVE-2019-9500
(cherry picked from commit 1b5e2423164b3670e8bc9174e4762d297990deff)
Signed-off-by: Tyler Hicks <tyhicks at canonical.com>
---
drivers/net/wireless/broadcom/brcm80211/brcmfmac/cfg80211.c | 2 ++
1 file changed, 2 insertions(+)
diff --git a/drivers/net/wireless/broadcom/brcm80211/brcmfmac/cfg80211.c b/drivers/net/wireless/broadcom/brcm80211/brcmfmac/cfg80211.c
index 35301237d435..9f85eec3d79f 100644
--- a/drivers/net/wireless/broadcom/brcm80211/brcmfmac/cfg80211.c
+++ b/drivers/net/wireless/broadcom/brcm80211/brcmfmac/cfg80211.c
@@ -3474,6 +3474,8 @@ brcmf_wowl_nd_results(struct brcmf_if *ifp, const struct brcmf_event_msg *e,
}
netinfo = brcmf_get_netinfo_array(pfn_result);
+ if (netinfo->SSID_len > IEEE80211_MAX_SSID_LEN)
+ netinfo->SSID_len = IEEE80211_MAX_SSID_LEN;
memcpy(cfg->wowl.nd->ssid.ssid, netinfo->SSID, netinfo->SSID_len);
cfg->wowl.nd->ssid.ssid_len = netinfo->SSID_len;
cfg->wowl.nd->n_channels = 1;
--
2.7.4
More information about the kernel-team
mailing list