android_kernel_zuk_msm8996.git

diff options

author	qize wang <wangqize888888888@gmail.com>	2019-11-29 18:10:54 +0800
committer	Greg Kroah-Hartman <gregkh@linuxfoundation.org>	2020-03-20 09:06:24 +0100
commit	4ca9ed6965cc0b9ace3758355ff13d71b97bf008 (patch)
tree	b341f54fa8992e5037da664c9cc2e34cef939282 /scripts/stackusage
parent	c6e64f57f5e6817ee05d147fc0c36866ae88dd6f (diff)

mwifiex: Fix heap overflow in mmwifiex_process_tdls_action_frame()

commit 1e58252e334dc3f3756f424a157d1b7484464c40 upstream. mwifiex_process_tdls_action_frame() without checking the incoming tdls infomation element's vality before use it, this may cause multi heap buffer overflows. Fix them by putting vality check before use it. IE is TLV struct, but ht_cap and ht_oper aren’t TLV struct. the origin marvell driver code is wrong: memcpy(&sta_ptr->tdls_cap.ht_oper, pos,.... memcpy((u8 *)&sta_ptr->tdls_cap.ht_capb, pos,... Fix the bug by changing pos(the address of IE) to pos+2 ( the address of IE value ). Signed-off-by: qize wang <wangqize888888888@gmail.com> Signed-off-by: Kalle Valo <kvalo@codeaurora.org> Signed-off-by: Matthias Maennich <maennich@google.com> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

Diffstat (limited to 'scripts/stackusage')

0 files changed, 0 insertions, 0 deletions


context:
space:
mode: