debian-packaging
/
linux
8
0
Fork 0
Code Releases Activity

brcmfmac: assure SSID length from firmware is limited (CVE-2019-9500)

This commit is contained in:
Salvatore Bonaccorso 2019-06-07 14:43:05 +02:00
parent c11ba60cce
commit 8970aaa563
3 changed files with 38 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

3
debian/changelog vendored
View File

@ -12,6 +12,9 @@ linux (4.19.37-4) UNRELEASED; urgency=medium
[ Romain Perier ]
* [rt] Update to 4.19.37-rt20
[ Salvatore Bonaccorso ]
* brcmfmac: assure SSID length from firmware is limited (CVE-2019-9500)
-- Ben Hutchings <ben@decadent.org.uk> Sun, 19 May 2019 00:04:16 +0100
linux (4.19.37-3) unstable; urgency=medium

34
debian/patches/bugfix/all/brcmfmac-assure-SSID-length-from-firmware-is-limited.patch vendored Normal file
View File

@ -0,0 +1,34 @@
From: Arend van Spriel <arend.vanspriel@broadcom.com>
Date: Thu, 14 Feb 2019 13:43:47 +0100
Subject: brcmfmac: assure SSID length from firmware is limited
Origin: https://git.kernel.org/linus/1b5e2423164b3670e8bc9174e4762d297990deff
Bug-Debian-Security: https://security-tracker.debian.org/tracker/CVE-2019-9500
The SSID length as received from firmware should not exceed
IEEE80211_MAX_SSID_LEN as that would result in heap overflow.
Reviewed-by: Hante Meuleman <hante.meuleman@broadcom.com>
Reviewed-by: Pieter-Paul Giesberts <pieter-paul.giesberts@broadcom.com>
Reviewed-by: Franky Lin <franky.lin@broadcom.com>
Signed-off-by: Arend van Spriel <arend.vanspriel@broadcom.com>
Signed-off-by: Kalle Valo <kvalo@codeaurora.org>
---
drivers/net/wireless/broadcom/brcm80211/brcmfmac/cfg80211.c | 2 ++
1 file changed, 2 insertions(+)
diff --git a/drivers/net/wireless/broadcom/brcm80211/brcmfmac/cfg80211.c b/drivers/net/wireless/broadcom/brcm80211/brcmfmac/cfg80211.c
index b5e291ed9496..012275fc3bf7 100644
--- a/drivers/net/wireless/broadcom/brcm80211/brcmfmac/cfg80211.c
+++ b/drivers/net/wireless/broadcom/brcm80211/brcmfmac/cfg80211.c
@@ -3507,6 +3507,8 @@ brcmf_wowl_nd_results(struct brcmf_if *ifp, const struct brcmf_event_msg *e,
}
netinfo = brcmf_get_netinfo_array(pfn_result);
+ if (netinfo->SSID_len > IEEE80211_MAX_SSID_LEN)
+ netinfo->SSID_len = IEEE80211_MAX_SSID_LEN;
memcpy(cfg->wowl.nd->ssid.ssid, netinfo->SSID, netinfo->SSID_len);
cfg->wowl.nd->ssid.ssid_len = netinfo->SSID_len;
cfg->wowl.nd->n_channels = 1;
--
2.20.1

1
debian/patches/series vendored
View File

@ -212,6 +212,7 @@ bugfix/all/spec/0028-x86-mds-Add-MDSUM-variant-to-the-MDS-documentation.patch
bugfix/all/spec/0029-Documentation-Correct-the-possible-MDS-sysfs-values.patch
bugfix/all/spec/0030-x86-speculation-mds-Fix-documentation-typo.patch
bugfix/all/spec/powerpc-64s-include-cpu-header.patch
bugfix/all/brcmfmac-assure-SSID-length-from-firmware-is-limited.patch
# Fix exported symbol versions
bugfix/all/module-disable-matching-missing-version-crc.patch