Home Home > GIT Browse > SLE12-SP5-AZURE
summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorOliver Neukum <oneukum@suse.com>2019-09-10 16:14:45 +0200
committerOliver Neukum <oneukum@suse.com>2019-09-10 16:14:45 +0200
commit0a77efee3a43844ab767caa82a5d392bb574a95c (patch)
tree989a5d1679862d3b6f09c863d96dbb837d196b79
parent334c20c5b383939deba2fd207b9f65e14523af73 (diff)
mwifiex: Fix possible buffer overflows at parsing bss descriptor
(bsc#1136424 CVE-2019-3846). Manually readded as it was lost in a merge suse-commit: 0c745d6ba45bfb411a1085149bcaedb5aaf683ed
-rw-r--r--drivers/net/wireless/marvell/mwifiex/scan.c4
1 files changed, 4 insertions, 0 deletions
diff --git a/drivers/net/wireless/marvell/mwifiex/scan.c b/drivers/net/wireless/marvell/mwifiex/scan.c
index 3cbccafad2b0..ed27147efcb3 100644
--- a/drivers/net/wireless/marvell/mwifiex/scan.c
+++ b/drivers/net/wireless/marvell/mwifiex/scan.c
@@ -1248,6 +1248,8 @@ int mwifiex_update_bss_desc_with_ie(struct mwifiex_adapter *adapter,
}
switch (element_id) {
case WLAN_EID_SSID:
+ if (element_len > IEEE80211_MAX_SSID_LEN)
+ return -EINVAL;
bss_entry->ssid.ssid_len = element_len;
memcpy(bss_entry->ssid.ssid, (current_ptr + 2),
element_len);
@@ -1257,6 +1259,8 @@ int mwifiex_update_bss_desc_with_ie(struct mwifiex_adapter *adapter,
break;
case WLAN_EID_SUPP_RATES:
+ if (element_len > MWIFIEX_SUPPORTED_RATES)
+ return -EINVAL;
memcpy(bss_entry->data_rates, current_ptr + 2,
element_len);
memcpy(bss_entry->supported_rates, current_ptr + 2,