Re: [PATCH 1/3] brcmfmac: Avoid possible out-of-bounds read

On 08-09-17 21:13, Kevin Cernekee wrote: In brcmf_p2p_notify_rx_mgmt_p2p_probereq(), chanspec is assigned before the length of rxframe is validated. This could lead to uninitialized data being printed in a debug message. Since we already have a The debug message is after the length

Re: [PATCH 2/3] brcmfmac: Don't print out-of-bounds event data

On 08-09-17 21:13, Kevin Cernekee wrote: The debug print that dumps out newly-dequeued events uses emsg.datalen before that field has been validated, which may lead to an out-of-bounds read. Assume that any properly-formed event message has a valid length field, and move the debug print below

Re: [PATCH 3/3] brcmfmac: Add check for short event packets

On 08-09-17 21:13, Kevin Cernekee wrote: The length of the data in the received skb is currently passed into brcmf_fweh_process_event() as packet_len, but this value is not checked. event_packet should be followed by DATALEN bytes of additional event data. Ensure that the received packet

[PATCH V2 3/3] brcmfmac: Add check for short event packets

The length of the data in the received skb is currently passed into brcmf_fweh_process_event() as packet_len, but this value is not checked. event_packet should be followed by DATALEN bytes of additional event data. Ensure that the received packet actually contains at least DATALEN bytes of

[PATCH V2 1/3] brcmfmac: Avoid possible out-of-bounds read

In brcmf_p2p_notify_rx_mgmt_p2p_probereq(), chanspec is assigned before the length of rxframe is validated. This could lead to uninitialized data being accessed (but not printed). Since we already have a perfectly good endian-swapped copy of rxframe->chanspec in ch.chspec, and ch.chspec is not

[PATCH V2 2/3] brcmfmac: Delete redundant length check

brcmf_fweh_process_event() sets event->datalen to the endian-swapped value of event_packet->msg.datalen, which is the same as emsg.datalen. This length is already validated in brcmf_fweh_process_event(), so there is no need to check it again upon dequeuing the event. Suggested-by: Arend van

[PATCH 3.16 191/233] mac80211/wpa: use constant time memory comparison for MACs

3.16.48-rc1 review patch. If anyone has any objections, please let me know. -- From: "Jason A. Donenfeld" commit 98c67d187db7808b1f3c95f2110dd4392d034182 upstream. Otherwise, we enable all sorts of forgeries via timing attack. Signed-off-by: Jason A.