Kevin Cernekee <cernekee@xxxxxxxxxxxx> wrote: > The length of the data in the received skb is currently passed into > brcmf_fweh_process_event() as packet_len, but this value is not checked. > event_packet should be followed by DATALEN bytes of additional event > data. Ensure that the received packet actually contains at least > DATALEN bytes of additional data, to avoid copying uninitialized memory > into event->data. > > Suggested-by: Mattias Nissler <mnissler@xxxxxxxxxxxx> > Signed-off-by: Kevin Cernekee <cernekee@xxxxxxxxxxxx> I'll queue this for v4.14 and add: Cc: stable@xxxxxxxxxxxxxxx # v3.8 -- https://patchwork.kernel.org/patch/9954607/ https://wireless.wiki.kernel.org/en/developers/documentation/submittingpatches
