mwifiex: Fix heap overflow in mmwifiex_process_tdls_action_frame() - linux-dev - Linux kernel development work

diff options

author	qize wang <wangqize888888888@gmail.com>	2019-11-29 18:10:54 +0800
committer	Kalle Valo <kvalo@codeaurora.org>	2019-12-02 16:51:58 +0200
commit	1e58252e334dc3f3756f424a157d1b7484464c40 (patch)
tree	8b76f404aa02e7d73a4a0400db55ad69e988d47b /.mailmap
parent	mt76: mt76x0: fix default mac address overwrite (diff)
download	linux-dev-1e58252e334dc3f3756f424a157d1b7484464c40.tar.xz linux-dev-1e58252e334dc3f3756f424a157d1b7484464c40.zip

mwifiex: Fix heap overflow in mmwifiex_process_tdls_action_frame()

mwifiex_process_tdls_action_frame() without checking the incoming tdls infomation element's vality before use it, this may cause multi heap buffer overflows. Fix them by putting vality check before use it. IE is TLV struct, but ht_cap and ht_oper aren’t TLV struct. the origin marvell driver code is wrong: memcpy(&sta_ptr->tdls_cap.ht_oper, pos,.... memcpy((u8 *)&sta_ptr->tdls_cap.ht_capb, pos,... Fix the bug by changing pos(the address of IE) to pos+2 ( the address of IE value ). Signed-off-by: qize wang <wangqize888888888@gmail.com> Signed-off-by: Kalle Valo <kvalo@codeaurora.org>

Diffstat (limited to '.mailmap')

0 files changed, 0 insertions, 0 deletions


context:
space:
mode: