On 5-9-2016 11:45, Arend van Spriel wrote: > User-space can choose to omit NL80211_ATTR_SSID and only provide raw > IE TLV data. When doing so it can provide SSID IE with length exceeding > the allowed size. The driver further processes this IE copying it > into a local variable without checking the length. Hence stack can be > corrupted and used as exploit. This patch is intended for wireless-drivers repository, ie. for v4.8. Regards, Arend > Cc: stable@xxxxxxxxxxxxxxx # v4.7 > Reported-by: Daxing Guo <freener.gdx@xxxxxxxxx> > Reviewed-by: Hante Meuleman <hante.meuleman@xxxxxxxxxxxx> > Reviewed-by: Pieter-Paul Giesberts <pieter-paul.giesberts@xxxxxxxxxxxx> > Reviewed-by: Franky Lin <franky.lin@xxxxxxxxxxxx> > Signed-off-by: Arend van Spriel <arend.vanspriel@xxxxxxxxxxxx> > --- > drivers/net/wireless/broadcom/brcm80211/brcmfmac/cfg80211.c | 2 +- > 1 file changed, 1 insertion(+), 1 deletion(-) > > diff --git a/drivers/net/wireless/broadcom/brcm80211/brcmfmac/cfg80211.c b/drivers/net/wireless/broadcom/brcm80211/brcmfmac/cfg80211.c > index 5db56a7..b8aec5e5 100644 > --- a/drivers/net/wireless/broadcom/brcm80211/brcmfmac/cfg80211.c > +++ b/drivers/net/wireless/broadcom/brcm80211/brcmfmac/cfg80211.c > @@ -4527,7 +4527,7 @@ brcmf_cfg80211_start_ap(struct wiphy *wiphy, struct net_device *ndev, > (u8 *)&settings->beacon.head[ie_offset], > settings->beacon.head_len - ie_offset, > WLAN_EID_SSID); > - if (!ssid_ie) > + if (!ssid_ie || ssid_ie->len > IEEE80211_MAX_SSID_LEN) > return -EINVAL; > > memcpy(ssid_le.SSID, ssid_ie->data, ssid_ie->len); >
