Git-Mirrors/DivestOS
1
0
Fork 0
mirror of https://github.com/Divested-Mobile/DivestOS-Build.git synced 2024-10-01 01:35:54 -04:00
Code Issues Packages Projects Releases Wiki Activity
7c0049f494
DivestOS/Patches/Linux_CVEs/CVE-2017-0786/ANY/0001.patch
Tad 11c7037780 Switch to new CVE patchset
2017-11-07 17:32:46 -05:00

42 lines
1.5 KiB
Diff
Raw Blame History

From 68acc6ab1474e9dde68880a7856e8a74ff86aa19 Mon Sep 17 00:00:00 2001
From: Insun Song <insun.song@broadcom.com>
Date: Mon, 5 Jun 2017 10:21:10 -0700
Subject: net: wireless: bcmdhd: adding boudary check in wl_escan_handler
WLC_E_ESCAN_RESULT event could be manipulated especially two length field
inside, one is for escan_result buffer length and another one is
bss_info length, the forged fields may bypass current length check and
corrupt kernel heap memory.
so added checking validation for two length fields in WLC_E_ESCAN_RESULT
event.
Signed-off-by: Insun Song <insun.song@broadcom.com>
Bug: 37351060
Change-Id: I31e9fccc48fc06278fb3a87a76ef7337296c2b0d
---
drivers/net/wireless/bcmdhd/wl_cfg80211.c | 7 +++++++
1 file changed, 7 insertions(+)
diff --git a/drivers/net/wireless/bcmdhd/wl_cfg80211.c b/drivers/net/wireless/bcmdhd/wl_cfg80211.c
index 021f69f7..d8c748d 100644
--- a/drivers/net/wireless/bcmdhd/wl_cfg80211.c
+++ b/drivers/net/wireless/bcmdhd/wl_cfg80211.c
@@ -10513,6 +10513,13 @@ static s32 wl_escan_handler(struct bcm_cfg80211 *cfg, bcm_struct_cfgdev *cfgdev,
WL_ERR(("Invalid escan result (NULL pointer)\n"));
goto exit;
}
+ if ((dtoh32(escan_result->buflen) > ESCAN_BUF_SIZE) ||
+ (dtoh32(escan_result->buflen) <
+ sizeof(wl_escan_result_t))) {
+ WL_ERR(("Invalid escan buffer len:%d\n",
+ dtoh32(escan_result->buflen)));
+ goto exit;
+ }
if (dtoh16(escan_result->bss_count) != 1) {
WL_ERR(("Invalid bss_count %d: ignoring\n", escan_result->bss_count));
goto exit;
--
cgit v1.1
Reference in New Issue View Git Blame Copy Permalink