dgit.raspbian.org Git - linux-4.9.git/commit

author	Arend van Spriel <arend.vanspriel@broadcom.com>
	Fri, 7 Jul 2017 20:09:06 +0000 (21:09 +0100)
committer	Ben Hutchings <ben@decadent.org.uk>
	Tue, 19 Sep 2017 01:34:05 +0000 (02:34 +0100)
commit	fcba383ce8b35049b0f1bbd8776845ccf2bc7f36
tree	45f7aa43aae6ab2da51ebc3d6a4452e3579a0215	tree \| snapshot
parent	2ba52f202cf2f848ff27c9e151cc14a6c9346152	commit \| diff

brcmfmac: fix possible buffer overflow in brcmf_cfg80211_mgmt_tx()

The lower level nl80211 code in cfg80211 ensures that "len" is between
25 and NL80211_ATTR_FRAME (2304).  We subtract DOT11_MGMT_HDR_LEN (24) from
"len" so thats's max of 2280.  However, the action_frame->data[] buffer is
only BRCMF_FIL_ACTION_FRAME_SIZE (1800) bytes long so this memcpy() can
overflow.

memcpy(action_frame->data, &buf[DOT11_MGMT_HDR_LEN],
       le16_to_cpu(action_frame->len));

Cc: stable@vger.kernel.org # 3.9.x
Fixes: 18e2f61db3b70 ("brcmfmac: P2P action frame tx.")
Reported-by: "freenerguo(郭大兴)" <freenerguo@tencent.com>
Signed-off-by: Arend van Spriel <arend.vanspriel@broadcom.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Gbp-Pq: Topic bugfix/all
Gbp-Pq: Name brcmfmac-fix-possible-buffer-overflow-in-brcmf_cfg80.patch