huangwenabc@xxxxxxxxx wrote: > From: Wen Huang <huangwenabc@xxxxxxxxx> > > mwifiex_update_vs_ie(),mwifiex_set_uap_rates() and > mwifiex_set_wmm_params() call memcpy() without checking > the destination size.Since the source is given from > user-space, this may trigger a heap buffer overflow. > > Fix them by putting the length check before performing memcpy(). > > This fix addresses CVE-2019-14814,CVE-2019-14815,CVE-2019-14816. > > Signed-off-by: Wen Huang <huangwenabc@xxxxxxxxx> > Acked-by: Ganapathi Bhat <gbhat@xxxxxxxxxxxx> Patch applied to wireless-drivers.git, thanks. 7caac62ed598 mwifiex: Fix three heap overflow at parsing element in cfg80211_ap_settings -- https://patchwork.kernel.org/patch/11117681/ https://wireless.wiki.kernel.org/en/developers/documentation/submittingpatches
