On 5-9-2016 11:45, Arend van Spriel wrote: > User-space can choose to omit NL80211_ATTR_SSID and only provide raw > IE TLV data. When doing so it can provide SSID IE with length exceeding > the allowed size. The driver further processes this IE copying it > into a local variable without checking the length. Hence stack can be > corrupted and used as exploit.
This patch is intended for wireless-drivers repository, ie. for v4.8. Regards, Arend > Cc: sta...@vger.kernel.org # v4.7 > Reported-by: Daxing Guo <freener....@gmail.com> > Reviewed-by: Hante Meuleman <hante.meule...@broadcom.com> > Reviewed-by: Pieter-Paul Giesberts <pieter-paul.giesbe...@broadcom.com> > Reviewed-by: Franky Lin <franky....@broadcom.com> > Signed-off-by: Arend van Spriel <arend.vanspr...@broadcom.com> > --- > drivers/net/wireless/broadcom/brcm80211/brcmfmac/cfg80211.c | 2 +- > 1 file changed, 1 insertion(+), 1 deletion(-) > > diff --git a/drivers/net/wireless/broadcom/brcm80211/brcmfmac/cfg80211.c > b/drivers/net/wireless/broadcom/brcm80211/brcmfmac/cfg80211.c > index 5db56a7..b8aec5e5 100644 > --- a/drivers/net/wireless/broadcom/brcm80211/brcmfmac/cfg80211.c > +++ b/drivers/net/wireless/broadcom/brcm80211/brcmfmac/cfg80211.c > @@ -4527,7 +4527,7 @@ brcmf_cfg80211_start_ap(struct wiphy *wiphy, struct > net_device *ndev, > (u8 *)&settings->beacon.head[ie_offset], > settings->beacon.head_len - ie_offset, > WLAN_EID_SSID); > - if (!ssid_ie) > + if (!ssid_ie || ssid_ie->len > IEEE80211_MAX_SSID_LEN) > return -EINVAL; > > memcpy(ssid_le.SSID, ssid_ie->data, ssid_ie->len); >