package/kernel/mac80211/patches/319-0017-brcmfmac-avoid-potential-stack-overflow-in-brcmf_cfg.patch

   1 From ded89912156b1a47d940a0c954c43afbabd0c42c Mon Sep 17 00:00:00 2001
   2 From: Arend Van Spriel <arend.vanspriel@broadcom.com>
   3 Date: Mon, 5 Sep 2016 10:45:47 +0100
   4 Subject: [PATCH] brcmfmac: avoid potential stack overflow in
   5  brcmf_cfg80211_start_ap()
   6
   7 User-space can choose to omit NL80211_ATTR_SSID and only provide raw
   8 IE TLV data. When doing so it can provide SSID IE with length exceeding
   9 the allowed size. The driver further processes this IE copying it
  10 into a local variable without checking the length. Hence stack can be
  11 corrupted and used as exploit.
  12
  13 Cc: stable@vger.kernel.org # v4.7
  14 Reported-by: Daxing Guo <freener.gdx@gmail.com>
  15 Reviewed-by: Hante Meuleman <hante.meuleman@broadcom.com>
  16 Reviewed-by: Pieter-Paul Giesberts <pieter-paul.giesberts@broadcom.com>
  17 Reviewed-by: Franky Lin <franky.lin@broadcom.com>
  18 Signed-off-by: Arend van Spriel <arend.vanspriel@broadcom.com>
  19 Signed-off-by: Kalle Valo <kvalo@codeaurora.org>
  20 ---
  21  drivers/net/wireless/broadcom/brcm80211/brcmfmac/cfg80211.c | 2 +-
  22  1 file changed, 1 insertion(+), 1 deletion(-)
  23
  24 --- a/drivers/net/wireless/broadcom/brcm80211/brcmfmac/cfg80211.c
  25 +++ b/drivers/net/wireless/broadcom/brcm80211/brcmfmac/cfg80211.c
  26 @@ -4523,7 +4523,7 @@ brcmf_cfg80211_start_ap(struct wiphy *wi
  27                                 (u8 *)&settings->beacon.head[ie_offset],
  28                                 settings->beacon.head_len - ie_offset,
  29                                 WLAN_EID_SSID);
  30 -               if (!ssid_ie)
  31 +               if (!ssid_ie || ssid_ie->len > IEEE80211_MAX_SSID_LEN)
  32                         return -EINVAL;
  33
  34                 memcpy(ssid_le.SSID, ssid_ie->data, ssid_ie->len);