Skip to content

Commit ded8991

Browse files
Arend Van SprielKalle Valo
Arend Van Spriel
authored and
Kalle Valo
committed
brcmfmac: avoid potential stack overflow in brcmf_cfg80211_start_ap()
User-space can choose to omit NL80211_ATTR_SSID and only provide raw IE TLV data. When doing so it can provide SSID IE with length exceeding the allowed size. The driver further processes this IE copying it into a local variable without checking the length. Hence stack can be corrupted and used as exploit. Cc: stable@vger.kernel.org # v4.7 Reported-by: Daxing Guo <freener.gdx@gmail.com> Reviewed-by: Hante Meuleman <hante.meuleman@broadcom.com> Reviewed-by: Pieter-Paul Giesberts <pieter-paul.giesberts@broadcom.com> Reviewed-by: Franky Lin <franky.lin@broadcom.com> Signed-off-by: Arend van Spriel <arend.vanspriel@broadcom.com> Signed-off-by: Kalle Valo <kvalo@codeaurora.org>
1 parent a9840c4 commit ded8991

File tree

1 file changed

+1
-1
lines changed
  • drivers/net/wireless/broadcom/brcm80211/brcmfmac

1 file changed

+1
-1
lines changed

Diff for: drivers/net/wireless/broadcom/brcm80211/brcmfmac/cfg80211.c

+1-1
Original file line numberDiff line numberDiff line change
@@ -4527,7 +4527,7 @@ brcmf_cfg80211_start_ap(struct wiphy *wiphy, struct net_device *ndev,
45274527
(u8 *)&settings->beacon.head[ie_offset],
45284528
settings->beacon.head_len - ie_offset,
45294529
WLAN_EID_SSID);
4530-
if (!ssid_ie)
4530+
if (!ssid_ie || ssid_ie->len > IEEE80211_MAX_SSID_LEN)
45314531
return -EINVAL;
45324532

45334533
memcpy(ssid_le.SSID, ssid_ie->data, ssid_ie->len);

0 commit comments

Comments
 (0)