brcmfmac: assure SSID length from firmware is limited (CVE-2019-9500)
This commit is contained in:
parent
c11ba60cce
commit
8970aaa563
|
@ -12,6 +12,9 @@ linux (4.19.37-4) UNRELEASED; urgency=medium
|
|||
[ Romain Perier ]
|
||||
* [rt] Update to 4.19.37-rt20
|
||||
|
||||
[ Salvatore Bonaccorso ]
|
||||
* brcmfmac: assure SSID length from firmware is limited (CVE-2019-9500)
|
||||
|
||||
-- Ben Hutchings <ben@decadent.org.uk> Sun, 19 May 2019 00:04:16 +0100
|
||||
|
||||
linux (4.19.37-3) unstable; urgency=medium
|
||||
|
|
34
debian/patches/bugfix/all/brcmfmac-assure-SSID-length-from-firmware-is-limited.patch
vendored
Normal file
34
debian/patches/bugfix/all/brcmfmac-assure-SSID-length-from-firmware-is-limited.patch
vendored
Normal file
|
@ -0,0 +1,34 @@
|
|||
From: Arend van Spriel <arend.vanspriel@broadcom.com>
|
||||
Date: Thu, 14 Feb 2019 13:43:47 +0100
|
||||
Subject: brcmfmac: assure SSID length from firmware is limited
|
||||
Origin: https://git.kernel.org/linus/1b5e2423164b3670e8bc9174e4762d297990deff
|
||||
Bug-Debian-Security: https://security-tracker.debian.org/tracker/CVE-2019-9500
|
||||
|
||||
The SSID length as received from firmware should not exceed
|
||||
IEEE80211_MAX_SSID_LEN as that would result in heap overflow.
|
||||
|
||||
Reviewed-by: Hante Meuleman <hante.meuleman@broadcom.com>
|
||||
Reviewed-by: Pieter-Paul Giesberts <pieter-paul.giesberts@broadcom.com>
|
||||
Reviewed-by: Franky Lin <franky.lin@broadcom.com>
|
||||
Signed-off-by: Arend van Spriel <arend.vanspriel@broadcom.com>
|
||||
Signed-off-by: Kalle Valo <kvalo@codeaurora.org>
|
||||
---
|
||||
drivers/net/wireless/broadcom/brcm80211/brcmfmac/cfg80211.c | 2 ++
|
||||
1 file changed, 2 insertions(+)
|
||||
|
||||
diff --git a/drivers/net/wireless/broadcom/brcm80211/brcmfmac/cfg80211.c b/drivers/net/wireless/broadcom/brcm80211/brcmfmac/cfg80211.c
|
||||
index b5e291ed9496..012275fc3bf7 100644
|
||||
--- a/drivers/net/wireless/broadcom/brcm80211/brcmfmac/cfg80211.c
|
||||
+++ b/drivers/net/wireless/broadcom/brcm80211/brcmfmac/cfg80211.c
|
||||
@@ -3507,6 +3507,8 @@ brcmf_wowl_nd_results(struct brcmf_if *ifp, const struct brcmf_event_msg *e,
|
||||
}
|
||||
|
||||
netinfo = brcmf_get_netinfo_array(pfn_result);
|
||||
+ if (netinfo->SSID_len > IEEE80211_MAX_SSID_LEN)
|
||||
+ netinfo->SSID_len = IEEE80211_MAX_SSID_LEN;
|
||||
memcpy(cfg->wowl.nd->ssid.ssid, netinfo->SSID, netinfo->SSID_len);
|
||||
cfg->wowl.nd->ssid.ssid_len = netinfo->SSID_len;
|
||||
cfg->wowl.nd->n_channels = 1;
|
||||
--
|
||||
2.20.1
|
||||
|
|
@ -212,6 +212,7 @@ bugfix/all/spec/0028-x86-mds-Add-MDSUM-variant-to-the-MDS-documentation.patch
|
|||
bugfix/all/spec/0029-Documentation-Correct-the-possible-MDS-sysfs-values.patch
|
||||
bugfix/all/spec/0030-x86-speculation-mds-Fix-documentation-typo.patch
|
||||
bugfix/all/spec/powerpc-64s-include-cpu-header.patch
|
||||
bugfix/all/brcmfmac-assure-SSID-length-from-firmware-is-limited.patch
|
||||
|
||||
# Fix exported symbol versions
|
||||
bugfix/all/module-disable-matching-missing-version-crc.patch
|
||||
|
|
Loading…
Reference in New Issue