On Mon, Feb 10, 2020 at 12:02:33PM -0600, Larry Finger wrote:
> In routine wpa_supplicant_ioctl(), the user-controlled p->length is
> checked to be at least the size of struct ieee_param size, but the code
> does not detect the case where p->length is greater than the size
> of the struct, thus a malicious user could be wasting kernel memory.
> Fixes commit 554c0a3abf216 ("staging: Add rtl8723bs sdio wifi driver").
>
> Reported by: Pietro Oliva <pietroliva@xxxxxxxxx>
> Cc: Pietro Oliva <pietroliva@xxxxxxxxx>
> Cc: Stable <stable@xxxxxxxxxxxxxxx>
> Fixes: 554c0a3abf216 ("staging: Add rtl8723bs sdio wifi driver").
> Signed-off-by: Larry Finger <Larry.Finger@xxxxxxxxxxxx>
> -# Please enter the commit message for your changes. Lines starting
> ---
Funny line :)
I'll go edit it...
thanks,
greg k-h
