android_kernel_zuk_msm8996.git

diff options

author	Arend van Spriel <arend.vanspriel@broadcom.com>	2017-07-07 21:09:06 +0100
committer	Greg Kroah-Hartman <gregkh@linuxfoundation.org>	2017-07-21 07:44:55 +0200
commit	4c7021c2fb74047649c03845ce6fd13626a5a418 (patch)
tree	cc21513fe63befc774f2d923bc397618be6e6e5a /tools/perf/scripts/python
parent	9618eb4af306e7f21330a6acf22cbec037d17f22 (diff)

brcmfmac: fix possible buffer overflow in brcmf_cfg80211_mgmt_tx()

commit 8f44c9a41386729fea410e688959ddaa9d51be7c upstream. The lower level nl80211 code in cfg80211 ensures that "len" is between 25 and NL80211_ATTR_FRAME (2304). We subtract DOT11_MGMT_HDR_LEN (24) from "len" so thats's max of 2280. However, the action_frame->data[] buffer is only BRCMF_FIL_ACTION_FRAME_SIZE (1800) bytes long so this memcpy() can overflow. memcpy(action_frame->data, &buf[DOT11_MGMT_HDR_LEN], le16_to_cpu(action_frame->len)); Fixes: 18e2f61db3b70 ("brcmfmac: P2P action frame tx.") Reported-by: "freenerguo(郭大兴)" <freenerguo@tencent.com> Signed-off-by: Arend van Spriel <arend.vanspriel@broadcom.com> Signed-off-by: David S. Miller <davem@davemloft.net> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

Diffstat (limited to 'tools/perf/scripts/python')

0 files changed, 0 insertions, 0 deletions


context:
space:
mode: