qize wang <wangqize888888888@xxxxxxxxx> writes: > mwifiex_process_tdls_action_frame() without checking > the incoming tdls infomation element's vality before use it, > this may cause multi heap buffer overflows. > > Fix them by putting vality check before use it. > > IE is TLV struct, but ht_cap and ht_oper aren’t TLV struct. > the origin marvell driver code is wrong: > > memcpy(&sta_ptr->tdls_cap.ht_oper, pos,.... > memcpy((u8 *)&sta_ptr->tdls_cap.ht_capb, pos,... > > Fix the bug by changing pos(the address of IE) to > pos+2 ( the address of IE value ). > > v3: change commit log > > Signed-off-by: qize wang <wangqize888888888@xxxxxxxxx> Applied manually (removed the changelog from commit), thanks. 1e58252e334d mwifiex: Fix heap overflow in mmwifiex_process_tdls_action_frame() -- https://wireless.wiki.kernel.org/en/developers/documentation/submittingpatches
