35 lines
1.5 KiB
Diff
35 lines
1.5 KiB
Diff
From: Arend van Spriel <arend.vanspriel@broadcom.com>
|
|
Date: Thu, 14 Feb 2019 13:43:47 +0100
|
|
Subject: brcmfmac: assure SSID length from firmware is limited
|
|
Origin: https://git.kernel.org/linus/1b5e2423164b3670e8bc9174e4762d297990deff
|
|
Bug-Debian-Security: https://security-tracker.debian.org/tracker/CVE-2019-9500
|
|
|
|
The SSID length as received from firmware should not exceed
|
|
IEEE80211_MAX_SSID_LEN as that would result in heap overflow.
|
|
|
|
Reviewed-by: Hante Meuleman <hante.meuleman@broadcom.com>
|
|
Reviewed-by: Pieter-Paul Giesberts <pieter-paul.giesberts@broadcom.com>
|
|
Reviewed-by: Franky Lin <franky.lin@broadcom.com>
|
|
Signed-off-by: Arend van Spriel <arend.vanspriel@broadcom.com>
|
|
Signed-off-by: Kalle Valo <kvalo@codeaurora.org>
|
|
---
|
|
drivers/net/wireless/broadcom/brcm80211/brcmfmac/cfg80211.c | 2 ++
|
|
1 file changed, 2 insertions(+)
|
|
|
|
diff --git a/drivers/net/wireless/broadcom/brcm80211/brcmfmac/cfg80211.c b/drivers/net/wireless/broadcom/brcm80211/brcmfmac/cfg80211.c
|
|
index b5e291ed9496..012275fc3bf7 100644
|
|
--- a/drivers/net/wireless/broadcom/brcm80211/brcmfmac/cfg80211.c
|
|
+++ b/drivers/net/wireless/broadcom/brcm80211/brcmfmac/cfg80211.c
|
|
@@ -3507,6 +3507,8 @@ brcmf_wowl_nd_results(struct brcmf_if *ifp, const struct brcmf_event_msg *e,
|
|
}
|
|
|
|
netinfo = brcmf_get_netinfo_array(pfn_result);
|
|
+ if (netinfo->SSID_len > IEEE80211_MAX_SSID_LEN)
|
|
+ netinfo->SSID_len = IEEE80211_MAX_SSID_LEN;
|
|
memcpy(cfg->wowl.nd->ssid.ssid, netinfo->SSID, netinfo->SSID_len);
|
|
cfg->wowl.nd->ssid.ssid_len = netinfo->SSID_len;
|
|
cfg->wowl.nd->n_channels = 1;
|
|
--
|
|
2.20.1
|
|
|