On Wed, Jun 26, 2019 at 5:49 PM Sasha Levin <sashal@xxxxxxxxxx> wrote: > > From: Takashi Iwai <tiwai@xxxxxxx> > > [ Upstream commit 685c9b7750bfacd6fc1db50d86579980593b7869 ] > > Currently mwifiex_update_bss_desc_with_ie() implicitly assumes that > the source descriptor entries contain the enough size for each type > and performs copying without checking the source size. This may lead > to read over boundary. > > Fix this by putting the source size check in appropriate places. > > Signed-off-by: Takashi Iwai <tiwai@xxxxxxx> > Signed-off-by: Kalle Valo <kvalo@xxxxxxxxxxxxxx> > Signed-off-by: Sasha Levin <sashal@xxxxxxxxxx> For the record, this fixup is still aiming for 5.2, correcting some potential mistakes in this patch: 63d7ef36103d mwifiex: Don't abort on small, spec-compliant vendor IEs So you might want to hold off a bit, and grab them both. Brian
