Dan Carpenter <dan.carpenter@xxxxxxxxxx> wrote:
> The "ext->key_len" is a u16 that comes from the user. If it's over
> SCM_KEY_LEN (32) that could lead to memory corruption.
>
> Fixes: e0d369d1d969 ("[PATCH] ieee82011: Added WE-18 support to default wireless extension handler")
> Cc: stable@xxxxxxxxxxxxxxx
> Signed-off-by: Dan Carpenter <dan.carpenter@xxxxxxxxxx>
> Acked-by: Stanislav Yakovlev <stas.yakovlev@xxxxxxxxx>
Patch applied to wireless-drivers-next.git, thanks.
260a9ad94467 ipw2x00: potential buffer overflow in libipw_wx_set_encodeext()
--
https://patchwork.kernel.org/project/linux-wireless/patch/YHaoA1i+8uT4ir4h@mwanda/
https://wireless.wiki.kernel.org/en/developers/documentation/submittingpatches
