Arend Van Spriel <arend.vanspriel@xxxxxxxxxxxx> wrote: > User-space can choose to omit NL80211_ATTR_SSID and only provide raw > IE TLV data. When doing so it can provide SSID IE with length exceeding > the allowed size. The driver further processes this IE copying it > into a local variable without checking the length. Hence stack can be > corrupted and used as exploit. > > Cc: stable@xxxxxxxxxxxxxxx # v4.7 > Reported-by: Daxing Guo <freener.gdx@xxxxxxxxx> > Reviewed-by: Hante Meuleman <hante.meuleman@xxxxxxxxxxxx> > Reviewed-by: Pieter-Paul Giesberts <pieter-paul.giesberts@xxxxxxxxxxxx> > Reviewed-by: Franky Lin <franky.lin@xxxxxxxxxxxx> > Signed-off-by: Arend van Spriel <arend.vanspriel@xxxxxxxxxxxx> Thanks, 1 patch applied to wireless-drivers.git: ded89912156b brcmfmac: avoid potential stack overflow in brcmf_cfg80211_start_ap() -- Sent by pwcli https://patchwork.kernel.org/patch/9313305/
