github-mirror/linux
1
0
Fork 0
mirror of https://github.com/torvalds/linux.git synced 2026-06-10 07:32:29 +02:00
Code Issues Actions Packages Projects Releases Wiki Activity Graph
05100db84b
linux/drivers/net/wireless
History
qize wang 21f08020dd mwifiex: Fix heap overflow in mmwifiex_process_tdls_action_frame() 
[ Upstream commit 1e58252e33 ]

mwifiex_process_tdls_action_frame() without checking
the incoming tdls infomation element's vality before use it,
this may cause multi heap buffer overflows.

Fix them by putting vality check before use it.

IE is TLV struct, but ht_cap and  ht_oper aren’t TLV struct.
the origin marvell driver code is wrong:

memcpy(&sta_ptr->tdls_cap.ht_oper, pos,....
memcpy((u8 *)&sta_ptr->tdls_cap.ht_capb, pos,...

Fix the bug by changing pos(the address of IE) to
pos+2 ( the address of IE value ).

Signed-off-by: qize wang <wangqize888888888@gmail.com>
Signed-off-by: Kalle Valo <kvalo@codeaurora.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
2020-01-12 12:17:06 +01:00
..
admtek
ath ath9k_htc: Discard undersized packets 2020-01-09 10:19:09 +01:00
atmel at76c50x-usb: Don't register led_trigger if usb_register_driver failed 2019-05-31 06:46:05 -07:00
broadcom brcmfmac: remove monitor interface when detaching 2019-12-31 16:36:09 +01:00
cisco wireless: airo: potential buffer overflow in sprintf() 2019-12-01 09:17:23 +01:00
intel iwlwifi: check kasprintf() return value 2019-12-31 16:36:10 +01:00
intersil p54usb: Fix race between disconnect and firmware loading 2019-07-14 08:11:19 +02:00
marvell mwifiex: Fix heap overflow in mmwifiex_process_tdls_action_frame() 2020-01-12 12:17:06 +01:00
mediatek mt76x0: phy: fix restore phase in mt76x0_phy_recalibrate_after_assoc 2019-12-01 09:16:19 +01:00
quantenna qtnfmac: drop error reports for out-of-bounds key indexes 2019-11-24 08:20:21 +01:00
ralink rt2x00: do not increment sequence number while re-transmitting 2019-04-27 09:36:38 +02:00
realtek rtlwifi: fix memory leak in rtl92c_set_fw_rsvdpagepkt() 2019-12-31 16:35:41 +01:00
rsi rsi: release skb if rsi_prepare_beacon fails 2019-12-13 08:50:57 +01:00
st net: cw1200: fix a NULL pointer dereference 2019-05-31 06:46:15 -07:00
ti wlcore: Fix the return value in case of error in 'wlcore_vendor_cmd_smart_config_start()' 2019-12-01 09:17:21 +01:00
zydas zd1211rw: use irqsave() in USB's complete callback 2018-06-27 19:12:43 +03:00
Kconfig
mac80211_hwsim.c mac80211_hwsim: Fix possible null-pointer dereferences in hwsim_dump_radio_nl() 2019-08-29 08:28:33 +02:00
mac80211_hwsim.h
Makefile
ray_cs.c ray_cs: remove redundant pointer 'p' 2018-07-31 10:19:50 +03:00
ray_cs.h
rayctl.h
rndis_wlan.c wireless-drivers: use BIT_ULL for NL80211_STA_INFO_ attribute types 2018-06-27 19:07:39 +03:00
wl3501_cs.c
wl3501.h