DivestOS/Patches/Linux_CVEs/CVE-2017-0786/ANY/0.patch

42 lines
1.5 KiB
Diff
Raw Normal View History

From 68acc6ab1474e9dde68880a7856e8a74ff86aa19 Mon Sep 17 00:00:00 2001
From: Insun Song <insun.song@broadcom.com>
Date: Mon, 5 Jun 2017 10:21:10 -0700
Subject: net: wireless: bcmdhd: adding boudary check in wl_escan_handler
WLC_E_ESCAN_RESULT event could be manipulated especially two length field
inside, one is for escan_result buffer length and another one is
bss_info length, the forged fields may bypass current length check and
corrupt kernel heap memory.
so added checking validation for two length fields in WLC_E_ESCAN_RESULT
event.
Signed-off-by: Insun Song <insun.song@broadcom.com>
Bug: 37351060
Change-Id: I31e9fccc48fc06278fb3a87a76ef7337296c2b0d
---
drivers/net/wireless/bcmdhd/wl_cfg80211.c | 7 +++++++
1 file changed, 7 insertions(+)
diff --git a/drivers/net/wireless/bcmdhd/wl_cfg80211.c b/drivers/net/wireless/bcmdhd/wl_cfg80211.c
index 021f69f7..d8c748d 100644
--- a/drivers/net/wireless/bcmdhd/wl_cfg80211.c
+++ b/drivers/net/wireless/bcmdhd/wl_cfg80211.c
@@ -10513,6 +10513,13 @@ static s32 wl_escan_handler(struct bcm_cfg80211 *cfg, bcm_struct_cfgdev *cfgdev,
WL_ERR(("Invalid escan result (NULL pointer)\n"));
goto exit;
}
+ if ((dtoh32(escan_result->buflen) > ESCAN_BUF_SIZE) ||
+ (dtoh32(escan_result->buflen) <
+ sizeof(wl_escan_result_t))) {
+ WL_ERR(("Invalid escan buffer len:%d\n",
+ dtoh32(escan_result->buflen)));
+ goto exit;
+ }
if (dtoh16(escan_result->bss_count) != 1) {
WL_ERR(("Invalid bss_count %d: ignoring\n", escan_result->bss_count));
goto exit;
--
cgit v1.1