+ linux-wireless Zekun Shen <bruceshenzk@xxxxxxxxx> writes: > Bad header can have large length field which can cause OOB. > cptr is the last bytes for read, and the eeprom is parsed > from high to low address. The OOB, triggered by the condition > length > cptr could cause memory error with a read on > negative index. > > There are some sanity check around length, but it is not > compared with cptr (the remaining bytes). Here, the > corrupted/bad EEPROM can cause panic. > > I was able to reproduce the crash, but I cannot find the > log and the reproducer now. After I applied the patch, the > bug is no longer reproducible. > > Signed-off-by: Zekun Shen <bruceshenzk@xxxxxxxxx> Please resubmit and cc linux-wireless list, otherwise patchwork won't see the patch and then it will be out of my radar. -- https://patchwork.kernel.org/project/linux-wireless/list/ https://wireless.wiki.kernel.org/en/developers/documentation/submittingpatches
