--- /dev/null
+From 659e2a827152dc817e85c6914ba17cc80f080918 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Sun, 6 Dec 2020 16:48:01 +0800
+Subject: mwifiex: Fix possible buffer overflows in
+ mwifiex_cmd_802_11_ad_hoc_start
+
+From: Zhang Xiaohui <ruc_zhangxiaohui@163.com>
+
+[ Upstream commit 5c455c5ab332773464d02ba17015acdca198f03d ]
+
+mwifiex_cmd_802_11_ad_hoc_start() calls memcpy() without checking
+the destination size may trigger a buffer overflower,
+which a local user could use to cause denial of service
+or the execution of arbitrary code.
+Fix it by putting the length check before calling memcpy().
+
+Signed-off-by: Zhang Xiaohui <ruc_zhangxiaohui@163.com>
+Signed-off-by: Kalle Valo <kvalo@codeaurora.org>
+Link: https://lore.kernel.org/r/20201206084801.26479-1-ruc_zhangxiaohui@163.com
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/wireless/mwifiex/join.c | 2 ++
+ 1 file changed, 2 insertions(+)
+
+diff --git a/drivers/net/wireless/mwifiex/join.c b/drivers/net/wireless/mwifiex/join.c
+index 6378dfd3b4e86..83b7cd5bdf930 100644
+--- a/drivers/net/wireless/mwifiex/join.c
++++ b/drivers/net/wireless/mwifiex/join.c
+@@ -856,6 +856,8 @@ mwifiex_cmd_802_11_ad_hoc_start(struct mwifiex_private *priv,
+
+ memset(adhoc_start->ssid, 0, IEEE80211_MAX_SSID_LEN);
+
++ if (req_ssid->ssid_len > IEEE80211_MAX_SSID_LEN)
++ req_ssid->ssid_len = IEEE80211_MAX_SSID_LEN;
+ memcpy(adhoc_start->ssid, req_ssid->ssid, req_ssid->ssid_len);
+
+ mwifiex_dbg(adapter, INFO, "info: ADHOC_S_CMD: SSID = %s\n",
+--
+2.27.0
+
projects / thirdparty / kernel / stable-queue.git / commitdiff
