Hi Wen Huang, > mwifiex_update_vs_ie(),mwifiex_set_uap_rates() and > mwifiex_set_wmm_params() call memcpy() without checking the destination > size.Since the source is given from user-space, this may trigger a heap buffer > overflow. > > Fix them by putting the length check before performing memcpy(). > > This fix addresses CVE-2019-14814,CVE-2019-14815,CVE-2019-14816. Thanks for the fix, this change looks good; Acked-by: Ganapathi Bhat <gbhat@xxxxxxxxxxxx> Regards, Ganapathi