Kevin Cernekee <cernekee@xxxxxxxxxxxx> wrote: > The length of the data in the received skb is currently passed into > brcmf_fweh_process_event() as packet_len, but this value is not checked. > event_packet should be followed by DATALEN bytes of additional event > data. Ensure that the received packet actually contains at least > DATALEN bytes of additional data, to avoid copying uninitialized memory > into event->data. > > Suggested-by: Mattias Nissler <mnissler@xxxxxxxxxxxx> > Signed-off-by: Kevin Cernekee <cernekee@xxxxxxxxxxxx> > Reviewed-by: Arend van Spriel <arend.vanspriel@xxxxxxxxxxxx> I'll queue this for v4.14 and add: Cc: stable@xxxxxxxxxxxxxxx # v3.8+ -- https://patchwork.kernel.org/patch/9945427/ https://wireless.wiki.kernel.org/en/developers/documentation/submittingpatches
