On Mon, Mar 16, 2020 at 03:15:12PM +0100, Matthias Maennich wrote: > From: qize wang <wangqize888888888@xxxxxxxxx> > > mwifiex_process_tdls_action_frame() without checking > the incoming tdls infomation element's vality before use it, > this may cause multi heap buffer overflows. > > Fix them by putting vality check before use it. > > IE is TLV struct, but ht_cap and ht_oper aren’t TLV struct. > the origin marvell driver code is wrong: > > memcpy(&sta_ptr->tdls_cap.ht_oper, pos,.... > memcpy((u8 *)&sta_ptr->tdls_cap.ht_capb, pos,... > > Fix the bug by changing pos(the address of IE) to > pos+2 ( the address of IE value ). > > Signed-off-by: qize wang <wangqize888888888@xxxxxxxxx> > Signed-off-by: Kalle Valo <kvalo@xxxxxxxxxxxxxx> > (cherry picked from commit 1e58252e334dc3f3756f424a157d1b7484464c40) > Signed-off-by: Matthias Maennich <maennich@xxxxxxxxxx> > --- > drivers/net/wireless/mwifiex/tdls.c | 70 ++++++++++++++++++++++++++--- > 1 file changed, 64 insertions(+), 6 deletions(-) Now queued up, thanks. greg k-h
