Ganapathi Bhat <gbhat@xxxxxxxxxxx> wrote: > mwifiex_process_country_ie() function parse elements of bss > descriptor in beacon packet. When processing WLAN_EID_COUNTRY > element, there is no upper limit check for country_ie_len before > calling memcpy. The destination buffer domain_info->triplet is an > array of length MWIFIEX_MAX_TRIPLET_802_11D(83). The remote > attacker can build a fake AP with the same ssid as real AP, and > send malicous beacon packet with long WLAN_EID_COUNTRY elemen > (country_ie_len > 83). Attacker can force STA connect to fake AP > on a different channel. When the victim STA connects to fake AP, > will trigger the heap buffer overflow. Fix this by checking for > length and if found invalid, don not connect to the AP. > > This fix addresses CVE-2019-14895. > > Reported-by: huangwen <huangwenabc@xxxxxxxxx> > Signed-off-by: Ganapathi Bhat <gbhat@xxxxxxxxxxx> Patch applied to wireless-drivers.git, thanks. 3d94a4a8373b mwifiex: fix possible heap overflow in mwifiex_process_country_ie() -- https://patchwork.kernel.org/patch/11256477/ https://wireless.wiki.kernel.org/en/developers/documentation/submittingpatches
