From 8970aaa5634b62d00720770f8e17ffc5bf227a14 Mon Sep 17 00:00:00 2001
From: Salvatore Bonaccorso <carnil@debian.org>
Date: Fri, 7 Jun 2019 14:43:05 +0200
Subject: [PATCH] brcmfmac: assure SSID length from firmware is limited
 (CVE-2019-9500)

---
 debian/changelog                              |  3 ++
 ...SSID-length-from-firmware-is-limited.patch | 34 +++++++++++++++++++
 debian/patches/series                         |  1 +
 3 files changed, 38 insertions(+)
 create mode 100644 debian/patches/bugfix/all/brcmfmac-assure-SSID-length-from-firmware-is-limited.patch

diff --git a/debian/changelog b/debian/changelog
index f7d774360..b3a35647b 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -12,6 +12,9 @@ linux (4.19.37-4) UNRELEASED; urgency=medium
   [ Romain Perier ]
   * [rt] Update to 4.19.37-rt20
 
+  [ Salvatore Bonaccorso ]
+  * brcmfmac: assure SSID length from firmware is limited (CVE-2019-9500)
+
  -- Ben Hutchings <ben@decadent.org.uk>  Sun, 19 May 2019 00:04:16 +0100
 
 linux (4.19.37-3) unstable; urgency=medium
diff --git a/debian/patches/bugfix/all/brcmfmac-assure-SSID-length-from-firmware-is-limited.patch b/debian/patches/bugfix/all/brcmfmac-assure-SSID-length-from-firmware-is-limited.patch
new file mode 100644
index 000000000..421a7dcfe
--- /dev/null
+++ b/debian/patches/bugfix/all/brcmfmac-assure-SSID-length-from-firmware-is-limited.patch
@@ -0,0 +1,34 @@
+From: Arend van Spriel <arend.vanspriel@broadcom.com>
+Date: Thu, 14 Feb 2019 13:43:47 +0100
+Subject: brcmfmac: assure SSID length from firmware is limited
+Origin: https://git.kernel.org/linus/1b5e2423164b3670e8bc9174e4762d297990deff
+Bug-Debian-Security: https://security-tracker.debian.org/tracker/CVE-2019-9500
+
+The SSID length as received from firmware should not exceed
+IEEE80211_MAX_SSID_LEN as that would result in heap overflow.
+
+Reviewed-by: Hante Meuleman <hante.meuleman@broadcom.com>
+Reviewed-by: Pieter-Paul Giesberts <pieter-paul.giesberts@broadcom.com>
+Reviewed-by: Franky Lin <franky.lin@broadcom.com>
+Signed-off-by: Arend van Spriel <arend.vanspriel@broadcom.com>
+Signed-off-by: Kalle Valo <kvalo@codeaurora.org>
+---
+ drivers/net/wireless/broadcom/brcm80211/brcmfmac/cfg80211.c | 2 ++
+ 1 file changed, 2 insertions(+)
+
+diff --git a/drivers/net/wireless/broadcom/brcm80211/brcmfmac/cfg80211.c b/drivers/net/wireless/broadcom/brcm80211/brcmfmac/cfg80211.c
+index b5e291ed9496..012275fc3bf7 100644
+--- a/drivers/net/wireless/broadcom/brcm80211/brcmfmac/cfg80211.c
++++ b/drivers/net/wireless/broadcom/brcm80211/brcmfmac/cfg80211.c
+@@ -3507,6 +3507,8 @@ brcmf_wowl_nd_results(struct brcmf_if *ifp, const struct brcmf_event_msg *e,
+ 	}
+ 
+ 	netinfo = brcmf_get_netinfo_array(pfn_result);
++	if (netinfo->SSID_len > IEEE80211_MAX_SSID_LEN)
++		netinfo->SSID_len = IEEE80211_MAX_SSID_LEN;
+ 	memcpy(cfg->wowl.nd->ssid.ssid, netinfo->SSID, netinfo->SSID_len);
+ 	cfg->wowl.nd->ssid.ssid_len = netinfo->SSID_len;
+ 	cfg->wowl.nd->n_channels = 1;
+-- 
+2.20.1
+
diff --git a/debian/patches/series b/debian/patches/series
index 89df35626..94c4903cd 100644
--- a/debian/patches/series
+++ b/debian/patches/series
@@ -212,6 +212,7 @@ bugfix/all/spec/0028-x86-mds-Add-MDSUM-variant-to-the-MDS-documentation.patch
 bugfix/all/spec/0029-Documentation-Correct-the-possible-MDS-sysfs-values.patch
 bugfix/all/spec/0030-x86-speculation-mds-Fix-documentation-typo.patch
 bugfix/all/spec/powerpc-64s-include-cpu-header.patch
+bugfix/all/brcmfmac-assure-SSID-length-from-firmware-is-limited.patch
 
 # Fix exported symbol versions
 bugfix/all/module-disable-matching-missing-version-crc.patch