source: branches/chaos_calmer/package/kernel/mac80211/patches/351-0036-brcmfmac-avoid-potential-stack-overflow-in-brcmf_cfg.patch @ 49407

Last change on this file since 49407 was 49407, checked in by rmilecki, 12 months ago

mac80211: brcmfmac: backport changes from 2016-09-27

This fixes memory leaks, some possible crashes and bug that could cause
WARNING on every add_key/del_key call. It also replaces WARNING with
a simple message. They may still occur e.g. on station going out of
range and A-MPDU stall in the firmware.

Signed-off-by: Rafał Miłecki <rafal@…>

File size: 1.5 KB
  • drivers/net/wireless/broadcom/brcm80211/brcmfmac/cfg80211.c

    From ded89912156b1a47d940a0c954c43afbabd0c42c Mon Sep 17 00:00:00 2001
    From: Arend Van Spriel <arend.vanspriel@broadcom.com>
    Date: Mon, 5 Sep 2016 10:45:47 +0100
    Subject: [PATCH] brcmfmac: avoid potential stack overflow in
     brcmf_cfg80211_start_ap()
    
    User-space can choose to omit NL80211_ATTR_SSID and only provide raw
    IE TLV data. When doing so it can provide SSID IE with length exceeding
    the allowed size. The driver further processes this IE copying it
    into a local variable without checking the length. Hence stack can be
    corrupted and used as exploit.
    
    Cc: stable@vger.kernel.org # v4.7
    Reported-by: Daxing Guo <freener.gdx@gmail.com>
    Reviewed-by: Hante Meuleman <hante.meuleman@broadcom.com>
    Reviewed-by: Pieter-Paul Giesberts <pieter-paul.giesberts@broadcom.com>
    Reviewed-by: Franky Lin <franky.lin@broadcom.com>
    Signed-off-by: Arend van Spriel <arend.vanspriel@broadcom.com>
    Signed-off-by: Kalle Valo <kvalo@codeaurora.org>
    ---
     drivers/net/wireless/broadcom/brcm80211/brcmfmac/cfg80211.c | 2 +-
     1 file changed, 1 insertion(+), 1 deletion(-)
    
    a b brcmf_cfg80211_start_ap(struct wiphy *wi 
    44474447                                (u8 *)&settings->beacon.head[ie_offset], 
    44484448                                settings->beacon.head_len - ie_offset, 
    44494449                                WLAN_EID_SSID); 
    4450                 if (!ssid_ie) 
     4450                if (!ssid_ie || ssid_ie->len > IEEE80211_MAX_SSID_LEN) 
    44514451                        return -EINVAL; 
    44524452 
    44534453                memcpy(ssid_le.SSID, ssid_ie->data, ssid_ie->len); 
Note: See TracBrowser for help on using the repository browser.