Takashi Iwai <[email protected]> wrote: > A few places in mwifiex_uap_parse_tail_ies() perform memcpy() > unconditionally, which may lead to either buffer overflow or read over > boundary. > > This patch addresses the issues by checking the read size and the > destination size at each place more properly. Along with the fixes, > the patch cleans up the code slightly by introducing a temporary > variable for the token size, and unifies the error path with the > standard goto statement. > > Reported-by: huangwen <[email protected]> > Signed-off-by: Takashi Iwai <[email protected]>
Patch applied to wireless-drivers.git, thanks. 69ae4f6aac15 mwifiex: Fix heap overflow in mwifiex_uap_parse_tail_ies() -- https://patchwork.kernel.org/patch/10970141/ https://wireless.wiki.kernel.org/en/developers/documentation/submittingpatches
