kybaaz/linux-xiaomi-chiron
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions
linux-xiaomi-chiron/drivers/net/wireless/broadcom/brcm80211/brcmfmac
History
Arend van Spriel 8f44c9a413 brcmfmac: fix possible buffer overflow in brcmf_cfg80211_mgmt_tx() 
The lower level nl80211 code in cfg80211 ensures that "len" is between
25 and NL80211_ATTR_FRAME (2304).  We subtract DOT11_MGMT_HDR_LEN (24) from
"len" so thats's max of 2280.  However, the action_frame->data[] buffer is
only BRCMF_FIL_ACTION_FRAME_SIZE (1800) bytes long so this memcpy() can
overflow.

	memcpy(action_frame->data, &buf[DOT11_MGMT_HDR_LEN],
	       le16_to_cpu(action_frame->len));

Cc: stable@vger.kernel.org # 3.9.x
Fixes: 18e2f61db3 ("brcmfmac: P2P action frame tx.")
Reported-by: "freenerguo(郭大兴)" <freenerguo@tencent.com>
Signed-off-by: Arend van Spriel <arend.vanspriel@broadcom.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
2017-07-12 08:29:56 -07:00
..
bcdc.c brcmfmac: remove reference to fwsignal data from struct brcmf_pub 2017-04-13 17:07:22 +03:00
bcdc.h brcmfmac: remove reference to fwsignal data from struct brcmf_pub 2017-04-13 17:07:22 +03:00
bcmsdh.c brcmfmac: initialize oob irq data before request_irq() 2017-06-21 18:30:59 +03:00
btcoex.c brcmfmac: btcoex: replace init_timer with setup_timer 2017-05-22 18:18:05 +03:00
btcoex.h
bus.h brcmfmac: rework headroom check in .start_xmit() 2017-06-28 20:53:06 +03:00
cfg80211.c brcmfmac: fix possible buffer overflow in brcmf_cfg80211_mgmt_tx() 2017-07-12 08:29:56 -07:00
cfg80211.h brcmfmac: support 4-way handshake offloading for 802.1X 2017-06-30 09:38:22 +03:00
chip.c brcmfmac: add support for the PCIE devices 43525 and 43465 2016-06-16 18:20:05 +03:00
chip.h brcmfmac: access PMU registers using standalone PMU core if available 2016-02-06 13:52:47 +02:00
common.c brcmfmac: Do not print the firmware version as an error 2017-03-20 19:14:16 +02:00
common.h brcmfmac: move brcmf_c_set_joinpref_default declaration to common.h 2017-01-20 12:03:56 +02:00
commonring.c
commonring.h
core.c brcmfmac: rework headroom check in .start_xmit() 2017-06-28 20:53:06 +03:00
core.h brcmfmac: remove reference to fwsignal data from struct brcmf_pub 2017-04-13 17:07:22 +03:00
debug.c brcmfmac: always print error when PSM's watchdog fires 2017-03-20 19:13:37 +02:00
debug.h brcmfmac: add support multi-scheduled scan 2017-06-13 09:57:49 +03:00
feature.c brcmfmac: support 4-way handshake offloading for WPA/WPA2-PSK 2017-06-30 09:38:22 +03:00
feature.h brcmfmac: support 4-way handshake offloading for WPA/WPA2-PSK 2017-06-30 09:38:22 +03:00
firmware.c brcmfmac: use firmware callback upon failure to load 2017-06-15 19:06:11 +03:00
firmware.h brcmfmac: add parameter to pass error code in firmware callback 2017-06-15 19:06:00 +03:00
flowring.c brcmfmac: use correct skb freeing helper when deleting flowring 2016-09-27 18:47:55 +03:00
flowring.h brcmfmac: Increase nr of supported flowrings. 2016-02-25 11:59:22 +02:00
fweh.c brcmfmac: wrap brcmf_fws_reset_interface into bcdc layer 2017-03-20 19:14:53 +02:00
fweh.h brcmfmac: support 4-way handshake offloading for WPA/WPA2-PSK 2017-06-30 09:38:22 +03:00
fwil.c brcmfmac: Return actual error by fwil. 2015-11-30 14:46:38 +02:00
fwil.h brcmfmac: support 4-way handshake offloading for WPA/WPA2-PSK 2017-06-30 09:38:22 +03:00
fwil_types.h brcmfmac: support 4-way handshake offloading for WPA/WPA2-PSK 2017-06-30 09:38:22 +03:00
fwsignal.c brcmfmac: fix brcmf_fws_add_interface() for USB devices 2017-06-15 19:10:11 +03:00
fwsignal.h brcmfmac: remove reference to fwsignal data from struct brcmf_pub 2017-04-13 17:07:22 +03:00
Makefile brcmfmac: only build fwsignal module for CONFIG_BRCMFMAC_PROTO_BCDC 2017-04-19 14:39:44 +03:00
msgbuf.c brcmfmac: add pcie host dongle interface rev6 support 2016-11-29 17:29:24 +02:00
msgbuf.h brcmfmac: add pcie host dongle interface rev6 support 2016-11-29 17:29:24 +02:00
of.c brcmfmac: make brcmf_of_probe more generic 2017-01-19 14:45:13 +02:00
of.h brcmfmac: make brcmf_of_probe more generic 2017-01-19 14:45:13 +02:00
p2p.c brcmfmac: fix double free upon register_netdevice() failure 2017-06-27 17:13:57 +03:00
p2p.h cfg80211: move add/change interface monitor flags into params 2017-04-13 13:41:38 +02:00
pcie.c brcmfmac: add parameter to pass error code in firmware callback 2017-06-15 19:06:00 +03:00
pcie.h
pno.c brcmfmac: add scheduled scan support for specified BSSIDs 2017-06-13 09:57:51 +03:00
pno.h brcmfmac: add support multi-scheduled scan 2017-06-13 09:57:49 +03:00
proto.c brcmfmac: proto: add callback for queuing TX data 2016-11-09 03:30:32 +02:00
proto.h brcmfmac: wrap brcmf_fws_init into bcdc layer 2017-04-05 15:40:59 +03:00
sdio.c brcmfmac: rework headroom check in .start_xmit() 2017-06-28 20:53:06 +03:00
sdio.h brcmfmac: Fix 'did not remove int handler' warning 2016-06-04 17:58:52 +03:00
tracepoint.c brcmfmac: add missing header dependencies 2016-09-03 13:10:13 +03:00
tracepoint.h
usb.c brcmfmac: fix uninitialized warning in brcmf_usb_probe_phase2() 2017-06-16 11:52:36 +03:00
usb.h
vendor.c
vendor.h