Takashi Iwai <tiwai@xxxxxxx> wrote: > mwifiex_update_bss_desc_with_ie() calls memcpy() unconditionally in > a couple places without checking the destination size. Since the > source is given from user-space, this may trigger a heap buffer > overflow. > > Fix it by putting the length check before performing memcpy(). > > This fix addresses CVE-2019-3846. > > Reported-by: huangwen <huangwen@xxxxxxxxxxxxxxxx> > Signed-off-by: Takashi Iwai <tiwai@xxxxxxx> 2 patches applied to wireless-drivers.git, thanks. 13ec7f10b87f mwifiex: Fix possible buffer overflows at parsing bss descriptor 685c9b7750bf mwifiex: Abort at too short BSS descriptor element -- https://patchwork.kernel.org/patch/10967049/ https://wireless.wiki.kernel.org/en/developers/documentation/submittingpatches
