On Fri, 2017-07-07 at 13:01 +0100, Arend van Spriel wrote: > The lower level nl80211 code in cfg80211 ensures that "len" is > between > 25 and NL80211_ATTR_FRAME (2304). We subtract DOT11_MGMT_HDR_LEN > (24) from > "len" so thats's max of 2280. However, the action_frame->data[] > buffer is > only BRCMF_FIL_ACTION_FRAME_SIZE (1800) bytes long so this memcpy() > can > overflow. > > memcpy(action_frame->data, &buf[DOT11_MGMT_HDR_LEN], > le16_to_cpu(action_frame->len));
Kalle is on vacation for the next 10 days or so. Linus, since you were involved already, will you apply this directly? Arend, otherwise please resend including netdev@, so we can ask davem to pick it up (needs to land in his patchwork). I guess it should also have a Cc: stable tag, and perhaps a Fixes? Thanks, johannes
