On 07-07-17 14:47, Sedat Dilek wrote: > On Fri, Jul 7, 2017 at 2:01 PM, Arend van Spriel > <arend.vanspriel@xxxxxxxxxxxx> wrote: >> The lower level nl80211 code in cfg80211 ensures that "len" is between >> 25 and NL80211_ATTR_FRAME (2304). We subtract DOT11_MGMT_HDR_LEN (24) from >> "len" so thats's max of 2280. However, the action_frame->data[] buffer is >> only BRCMF_FIL_ACTION_FRAME_SIZE (1800) bytes long so this memcpy() can >> overflow. >> >> memcpy(action_frame->data, &buf[DOT11_MGMT_HDR_LEN], >> le16_to_cpu(action_frame->len)); >> >> Reported-by: "freenerguo(郭大兴)" <freenerguo@xxxxxxxxxxx> >> Signed-off-by: Arend van Spriel <arend.vanspriel@xxxxxxxxxxxx> >> --- >> Hi Kalle, >> >> Here is the patch as Linus send it to us and security@xxxxxxxxxx. I >> removed the lower bound check as that is already done in cfg80211. >> Now I signed off on the patch although formally I suppose Linus should >> sign it off. Putting it out there so people can respond as deemed >> necessary. >> >> Now fingers crossed whether patchwork will properly deal with the UTF-8 >> characters :-p >> > > Somehow horrific to see - less in usage (no CC here). Sorry, Sedat What is horrific? It is a bit cryptic (for me) what you would like me to do now if anything. Regards, Arend > - Sedat - > > [1] https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/log/?qt=grep&q=security%40kernel.org >
