OSDN Git Service

(root) / sagit-ice-cold / kernel_xiaomi_msm8998.git / commit
? search:
summary | shortlog | log | commit | commitdiff | tree
(parent: 52a9551) | patch
libertas: Fix two buffer overflows at parsing bss descriptor
authorWen Huang <huangwenabc@gmail.com>
Thu, 28 Nov 2019 10:51:04 +0000 (18:51 +0800)
committerGreg Kroah-Hartman <gregkh@linuxfoundation.org>
Wed, 29 Jan 2020 09:21:53 +0000 (10:21 +0100)
commit4d7f4d383230f6ef4f8a32e1fbfa4eb7c682522f
tree00b328c42b5cdbdc75e945a79637ab0d1408e792tree | snapshot
parent52a9551156693ae6fd7ce7962e76e22b890d4335commit | diff
libertas: Fix two buffer overflows at parsing bss descriptor

commit e5e884b42639c74b5b57dc277909915c0aefc8bb upstream.

add_ie_rates() copys rates without checking the length
in bss descriptor from remote AP.when victim connects to
remote attacker, this may trigger buffer overflow.
lbs_ibss_join_existing() copys rates without checking the length
in bss descriptor from remote IBSS node.when victim connects to
remote attacker, this may trigger buffer overflow.
Fix them by putting the length check before performing copy.

This fix addresses CVE-2019-14896 and CVE-2019-14897.
This also fix build warning of mixed declarations and code.

Reported-by: kbuild test robot <lkp@intel.com>
Signed-off-by: Wen Huang <huangwenabc@gmail.com>
Signed-off-by: Kalle Valo <kvalo@codeaurora.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
drivers/net/wireless/libertas/cfg.c diff | blob | history
Mirror: https://github.com/0ranko0P/kernel_xiaomi_msm8998/
About OSDN
Find Software
Develop Software
Help