On Fri, Jul 7, 2017 at 9:39 PM, Arend van Spriel <[email protected]> wrote: > On 07-07-17 14:47, Sedat Dilek wrote: >> On Fri, Jul 7, 2017 at 2:01 PM, Arend van Spriel >> <[email protected]> wrote: >>> The lower level nl80211 code in cfg80211 ensures that "len" is between >>> 25 and NL80211_ATTR_FRAME (2304). We subtract DOT11_MGMT_HDR_LEN (24) from >>> "len" so thats's max of 2280. However, the action_frame->data[] buffer is >>> only BRCMF_FIL_ACTION_FRAME_SIZE (1800) bytes long so this memcpy() can >>> overflow. >>> >>> memcpy(action_frame->data, &buf[DOT11_MGMT_HDR_LEN], >>> le16_to_cpu(action_frame->len)); >>> >>> Reported-by: "freenerguo(郭大兴)" <[email protected]> >>> Signed-off-by: Arend van Spriel <[email protected]> >>> --- >>> Hi Kalle, >>> >>> Here is the patch as Linus send it to us and [email protected]. I >>> removed the lower bound check as that is already done in cfg80211. >>> Now I signed off on the patch although formally I suppose Linus should >>> sign it off. Putting it out there so people can respond as deemed >>> necessary. >>> >>> Now fingers crossed whether patchwork will properly deal with the UTF-8 >>> characters :-p >>> >> >> Somehow horrific to see - less in usage (no CC here). > > Sorry, Sedat > > What is horrific? It is a bit cryptic (for me) what you would like me to > do now if anything. >
You did a CC <[email protected]>, thanks. Looking at the sources, docs and (commit) logs, this email-address seems "unknown" and less in usage. - Sedat - > Regards, > Arend > >> - Sedat - >> >> [1] >> https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/log/?qt=grep&q=security%40kernel.org >>
