huangwenabc@xxxxxxxxx wrote: > From: Wen Huang <huangwenabc@xxxxxxxxx> > > add_ie_rates() copys rates without checking the length > in bss descriptor from remote AP.when victim connects to > remote attacker, this may trigger buffer overflow. > lbs_ibss_join_existing() copys rates without checking the length > in bss descriptor from remote IBSS node.when victim connects to > remote attacker, this may trigger buffer overflow. > Fix them by putting the length check before performing copy. > > This fix addresses CVE-2019-14896 and CVE-2019-14897. > This also fix build warning of mixed declarations and code. > > Reported-by: kbuild test robot <lkp@xxxxxxxxx> > Signed-off-by: Wen Huang <huangwenabc@xxxxxxxxx> Patch applied to wireless-drivers.git, thanks. e5e884b42639 libertas: Fix two buffer overflows at parsing bss descriptor -- https://patchwork.kernel.org/patch/11265751/ https://wireless.wiki.kernel.org/en/developers/documentation/submittingpatches
