]>
Commit | Line | Data |
---|---|---|
4227f6b8 GKH |
1 | From ded89912156b1a47d940a0c954c43afbabd0c42c Mon Sep 17 00:00:00 2001 |
2 | From: Arend Van Spriel <arend.vanspriel@broadcom.com> | |
3 | Date: Mon, 5 Sep 2016 10:45:47 +0100 | |
4 | Subject: brcmfmac: avoid potential stack overflow in brcmf_cfg80211_start_ap() | |
5 | ||
6 | From: Arend Van Spriel <arend.vanspriel@broadcom.com> | |
7 | ||
8 | commit ded89912156b1a47d940a0c954c43afbabd0c42c upstream. | |
9 | ||
10 | User-space can choose to omit NL80211_ATTR_SSID and only provide raw | |
11 | IE TLV data. When doing so it can provide SSID IE with length exceeding | |
12 | the allowed size. The driver further processes this IE copying it | |
13 | into a local variable without checking the length. Hence stack can be | |
14 | corrupted and used as exploit. | |
15 | ||
16 | Reported-by: Daxing Guo <freener.gdx@gmail.com> | |
17 | Reviewed-by: Hante Meuleman <hante.meuleman@broadcom.com> | |
18 | Reviewed-by: Pieter-Paul Giesberts <pieter-paul.giesberts@broadcom.com> | |
19 | Reviewed-by: Franky Lin <franky.lin@broadcom.com> | |
20 | Signed-off-by: Arend van Spriel <arend.vanspriel@broadcom.com> | |
21 | Signed-off-by: Kalle Valo <kvalo@codeaurora.org> | |
22 | Signed-off-by: Juerg Haefliger <juerg.haefliger@hpe.com> | |
23 | Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> | |
24 | ||
25 | --- | |
26 | drivers/net/wireless/brcm80211/brcmfmac/cfg80211.c | 2 +- | |
27 | 1 file changed, 1 insertion(+), 1 deletion(-) | |
28 | ||
29 | --- a/drivers/net/wireless/brcm80211/brcmfmac/cfg80211.c | |
30 | +++ b/drivers/net/wireless/brcm80211/brcmfmac/cfg80211.c | |
31 | @@ -4102,7 +4102,7 @@ brcmf_cfg80211_start_ap(struct wiphy *wi | |
32 | (u8 *)&settings->beacon.head[ie_offset], | |
33 | settings->beacon.head_len - ie_offset, | |
34 | WLAN_EID_SSID); | |
35 | - if (!ssid_ie) | |
36 | + if (!ssid_ie || ssid_ie->len > IEEE80211_MAX_SSID_LEN) | |
37 | return -EINVAL; | |
38 | ||
39 | memcpy(ssid_le.SSID, ssid_ie->data, ssid_ie->len); |