On Fri, Jul 7, 2017 at 9:39 PM, Arend van Spriel <arend.vanspriel@xxxxxxxxxxxx> wrote: > On 07-07-17 14:47, Sedat Dilek wrote: >> On Fri, Jul 7, 2017 at 2:01 PM, Arend van Spriel >> <arend.vanspriel@xxxxxxxxxxxx> wrote: >>> The lower level nl80211 code in cfg80211 ensures that "len" is between >>> 25 and NL80211_ATTR_FRAME (2304). We subtract DOT11_MGMT_HDR_LEN (24) from >>> "len" so thats's max of 2280. However, the action_frame->data[] buffer is >>> only BRCMF_FIL_ACTION_FRAME_SIZE (1800) bytes long so this memcpy() can >>> overflow. >>> >>> memcpy(action_frame->data, &buf[DOT11_MGMT_HDR_LEN], >>> le16_to_cpu(action_frame->len)); >>> >>> Reported-by: "freenerguo(郭大兴)" <freenerguo@xxxxxxxxxxx> >>> Signed-off-by: Arend van Spriel <arend.vanspriel@xxxxxxxxxxxx> >>> --- >>> Hi Kalle, >>> >>> Here is the patch as Linus send it to us and security@xxxxxxxxxx. I >>> removed the lower bound check as that is already done in cfg80211. >>> Now I signed off on the patch although formally I suppose Linus should >>> sign it off. Putting it out there so people can respond as deemed >>> necessary. >>> >>> Now fingers crossed whether patchwork will properly deal with the UTF-8 >>> characters :-p >>> >> >> Somehow horrific to see - less in usage (no CC here). > > Sorry, Sedat > > What is horrific? It is a bit cryptic (for me) what you would like me to > do now if anything. > You did a CC <security@xxxxxxxxxx>, thanks. Looking at the sources, docs and (commit) logs, this email-address seems "unknown" and less in usage. - Sedat - > Regards, > Arend > >> - Sedat - >> >> [1] https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/log/?qt=grep&q=security%40kernel.org >>
