On Fri, Jul 7, 2017 at 2:01 PM, Arend van Spriel <arend.vanspriel@xxxxxxxxxxxx> wrote: > The lower level nl80211 code in cfg80211 ensures that "len" is between > 25 and NL80211_ATTR_FRAME (2304). We subtract DOT11_MGMT_HDR_LEN (24) from > "len" so thats's max of 2280. However, the action_frame->data[] buffer is > only BRCMF_FIL_ACTION_FRAME_SIZE (1800) bytes long so this memcpy() can > overflow. > > memcpy(action_frame->data, &buf[DOT11_MGMT_HDR_LEN], > le16_to_cpu(action_frame->len)); > > Reported-by: "freenerguo(郭大兴)" <freenerguo@xxxxxxxxxxx> > Signed-off-by: Arend van Spriel <arend.vanspriel@xxxxxxxxxxxx> > --- > Hi Kalle, > > Here is the patch as Linus send it to us and security@xxxxxxxxxx. I > removed the lower bound check as that is already done in cfg80211. > Now I signed off on the patch although formally I suppose Linus should > sign it off. Putting it out there so people can respond as deemed > necessary. > > Now fingers crossed whether patchwork will properly deal with the UTF-8 > characters :-p > Somehow horrific to see - less in usage (no CC here). - Sedat - [1] https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/log/?qt=grep&q=security%40kernel.org
