Search Linux Wireless

Re: [PATCH] libertas: Fix two buffer overflows at parsing bss descriptor

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



huangwenabc@xxxxxxxxx wrote:

> From: Wen Huang <huangwenabc@xxxxxxxxx>
> 
> add_ie_rates() copys rates without checking the length 
> in bss descriptor from remote AP.when victim connects to 
> remote attacker, this may trigger buffer overflow.
> lbs_ibss_join_existing() copys rates without checking the length 
> in bss descriptor from remote IBSS node.when victim connects to 
> remote attacker, this may trigger buffer overflow.
> Fix them by putting the length check before performing copy.
> 
> This fix addresses CVE-2019-14896 and CVE-2019-14897.
> This also fix build warning of mixed declarations and code.
> 
> Reported-by: kbuild test robot <lkp@xxxxxxxxx>
> Signed-off-by: Wen Huang <huangwenabc@xxxxxxxxx>

Patch applied to wireless-drivers.git, thanks.

e5e884b42639 libertas: Fix two buffer overflows at parsing bss descriptor

-- 
https://patchwork.kernel.org/patch/11265751/

https://wireless.wiki.kernel.org/en/developers/documentation/submittingpatches



[Index of Archives]     [Linux Host AP]     [ATH6KL]     [Linux Wireless Personal Area Network]     [Linux Bluetooth]     [Wireless Regulations]     [Linux Netdev]     [Kernel Newbies]     [Linux Kernel]     [IDE]     [Git]     [Netfilter]     [Bugtraq]     [Yosemite Hiking]     [MIPS Linux]     [ARM Linux]     [Linux RAID]

  Powered by Linux