DivestOS/Patches/Linux_CVEs/CVE-2017-0568/ANY/0002.patch
2017-11-07 17:32:46 -05:00

36 lines
1.3 KiB
Diff

From a3f3e7ed54aaa4f5f6929f1ed460363fdc8964d6 Mon Sep 17 00:00:00 2001
From: Insun Song <insun.song@broadcom.com>
Date: Fri, 13 Jan 2017 16:25:59 -0800
Subject: [PATCH] net: wireless: bcmdhd: fix overrun in wl_run_escan
prevent buffer overrun case where WLC_GET_VALID_CHANNELS IOCTL
overriden by attacker and its return manipulated.
Signed-off-by: Insun Song <insun.song@broadcom.com>
Change-Id: Ifbbaa3c2bdfd9bea7533d605303f18e17c8d85cc
Bug: 34197514
---
drivers/net/wireless/bcmdhd/wl_cfg80211.c | 9 +++++++++
1 file changed, 9 insertions(+)
diff --git a/drivers/net/wireless/bcmdhd/wl_cfg80211.c b/drivers/net/wireless/bcmdhd/wl_cfg80211.c
index 41d07d310a7b2..c635b1b8a79af 100644
--- a/drivers/net/wireless/bcmdhd/wl_cfg80211.c
+++ b/drivers/net/wireless/bcmdhd/wl_cfg80211.c
@@ -2268,6 +2268,15 @@ wl_run_escan(struct bcm_cfg80211 *cfg, struct net_device *ndev,
if (!wl_get_valid_channels(ndev, chan_buf, sizeof(chan_buf))) {
list = (wl_uint32_list_t *) chan_buf;
n_valid_chan = dtoh32(list->count);
+
+ if (n_valid_chan > WL_NUMCHANNELS) {
+ WL_ERR(("wrong n_valid_chan:%d\n",
+ n_valid_chan));
+ kfree(default_chan_list);
+ err = -EINVAL;
+ goto exit;
+ }
+
for (i = 0; i < num_chans; i++)
{
_freq = request->channels[i]->center_freq;