Arend Van Spriel <[email protected]> wrote: > User-space can choose to omit NL80211_ATTR_SSID and only provide raw > IE TLV data. When doing so it can provide SSID IE with length exceeding > the allowed size. The driver further processes this IE copying it > into a local variable without checking the length. Hence stack can be > corrupted and used as exploit. > > Cc: [email protected] # v4.7 > Reported-by: Daxing Guo <[email protected]> > Reviewed-by: Hante Meuleman <[email protected]> > Reviewed-by: Pieter-Paul Giesberts <[email protected]> > Reviewed-by: Franky Lin <[email protected]> > Signed-off-by: Arend van Spriel <[email protected]>
Thanks, 1 patch applied to wireless-drivers.git: ded89912156b brcmfmac: avoid potential stack overflow in brcmf_cfg80211_start_ap() -- Sent by pwcli https://patchwork.kernel.org/patch/9313305/
