Arend Van Spriel <arend.vanspriel@xxxxxxxxxxxx> wrote: > Upon handling the firmware notification for scans the length was > checked properly and may result in corrupting kernel heap memory > due to buffer overruns. This fix addresses CVE-2017-0786. > > Cc: stable@xxxxxxxxxxxxxxx # v4.0.x > Cc: Kevin Cernekee <cernekee@xxxxxxxxxxxx> > Reviewed-by: Hante Meuleman <hante.meuleman@xxxxxxxxxxxx> > Reviewed-by: Pieter-Paul Giesberts <pieter-paul.giesberts@xxxxxxxxxxxx> > Reviewed-by: Franky Lin <franky.lin@xxxxxxxxxxxx> > Signed-off-by: Arend van Spriel <arend.vanspriel@xxxxxxxxxxxx> 2 patches applied to wireless-drivers.git, thanks. 17df6453d4be brcmfmac: add length check in brcmf_cfg80211_escan_handler() 35f62727df0e brcmfmac: setup passive scan if requested by user-space -- https://patchwork.kernel.org/patch/9948689/ https://wireless.wiki.kernel.org/en/developers/documentation/submittingpatches
