]> git.proxmox.com Git - mirror_ubuntu-zesty-kernel.git/commitdiff
projects / mirror_ubuntu-zesty-kernel.git / commitdiff
? search:
summary | shortlog | log | commit | commitdiff | tree
raw | patch | inline | side by side (parent: c06e917)
brcmfmac: fix possible buffer overflow in brcmf_cfg80211_mgmt_tx()
authorArend van Spriel <arend.vanspriel@broadcom.com>
Tue, 22 Aug 2017 09:08:00 +0000 (11:08 +0200)
committerKleber Sacilotto de Souza <kleber.souza@canonical.com>
Wed, 23 Aug 2017 14:43:59 +0000 (16:43 +0200)
The lower level nl80211 code in cfg80211 ensures that "len" is between
25 and NL80211_ATTR_FRAME (2304).  We subtract DOT11_MGMT_HDR_LEN (24) from
"len" so thats's max of 2280.  However, the action_frame->data[] buffer is
only BRCMF_FIL_ACTION_FRAME_SIZE (1800) bytes long so this memcpy() can
overflow.

memcpy(action_frame->data, &buf[DOT11_MGMT_HDR_LEN],
       le16_to_cpu(action_frame->len));

Cc: stable@vger.kernel.org # 3.9.x
Fixes: 18e2f61db3b70 ("brcmfmac: P2P action frame tx.")
Reported-by: "freenerguo(郭大兴)" <freenerguo@tencent.com>
Signed-off-by: Arend van Spriel <arend.vanspriel@broadcom.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
CVE-2017-7541

(cherry-picked from commit 8f44c9a41386729fea410e688959ddaa9d51be7c)
Signed-off-by: Stefan Bader <stefan.bader@canonical.com>
Acked-by: Kleber Sacilotto de Souza <kleber.souza@canonical.com>
Acked-by: Colin King <colin.king@canonical.com>
Signed-off-by: Kleber Sacilotto de Souza <kleber.souza@canonical.com>
drivers/net/wireless/broadcom/brcm80211/brcmfmac/cfg80211.c patch | blob | blame | history

diff --git a/drivers/net/wireless/broadcom/brcm80211/brcmfmac/cfg80211.c b/drivers/net/wireless/broadcom/brcm80211/brcmfmac/cfg80211.c
index 7ffc4aba5bab0683fe993d1d5eef9e8e3d8389d0..baa12e9450c63989ec3ae0da10e8c0754a636d09 100644 (file)
--- a/drivers/net/wireless/broadcom/brcm80211/brcmfmac/cfg80211.c
+++ b/drivers/net/wireless/broadcom/brcm80211/brcmfmac/cfg80211.c
@@ -4839,6 +4839,11 @@ brcmf_cfg80211_mgmt_tx(struct wiphy *wiphy, struct wireless_dev *wdev,
                cfg80211_mgmt_tx_status(wdev, *cookie, buf, len, true,
                                        GFP_KERNEL);
        } else if (ieee80211_is_action(mgmt->frame_control)) {
+               if (len > BRCMF_FIL_ACTION_FRAME_SIZE + DOT11_MGMT_HDR_LEN) {
+                       brcmf_err("invalid action frame length\n");
+                       err = -EINVAL;
+                       goto exit;
+               }
                af_params = kzalloc(sizeof(*af_params), GFP_KERNEL);
                if (af_params == NULL) {
                        brcmf_err("unable to allocate frame\n");
ubuntu-zesty-kernel mirror