m1s5p6688@xxxxxxxxx wrote: > From: Qing Xu <m1s5p6688@xxxxxxxxx> > > mwifiex_ret_wmm_get_status() calls memcpy() without checking the > destination size.Since the source is given from remote AP which > contains illegal wmm elements , this may trigger a heap buffer > overflow. > Fix it by putting the length check before calling memcpy(). > > Signed-off-by: Qing Xu <m1s5p6688@xxxxxxxxx> 2 patches applied to wireless-drivers.git, thanks. 3a9b153c5591 mwifiex: Fix possible buffer overflows in mwifiex_ret_wmm_get_status() b70261a288ea mwifiex: Fix possible buffer overflows in mwifiex_cmd_append_vsie_tlv() -- https://patchwork.kernel.org/patch/11315253/ https://wireless.wiki.kernel.org/en/developers/documentation/submittingpatches
