On Tue, 2011-06-07 at 20:42 +0300, Luciano Coelho wrote: > When one of the SSID's length passed in a scan or sched_scan request > is larger than 255, there will be an overflow in the u8 that is used > to store the length before checking. This causes the check to fail > and we overrun the buffer when copying the SSID. > > Fix this by checking the nl80211 attribute length before copying it to > the struct. > > This is a follow up for the previous commit > 208c72f4fe44fe09577e7975ba0e7fa0278f3d03, which didn't fix the problem > entirely. > > Reported-by: Ido Yariv <[email protected]> > Signed-off-by: Luciano Coelho <[email protected]> > ---
This should also go to stable, but since it won't apply directly there, I'll wait till it's applied upstream and then backport it to stable kernels. -- Cheers, Luca. _______________________________________________ stable mailing list [email protected] http://linux.kernel.org/mailman/listinfo/stable
