mirror of
https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git
synced 2024-10-04 16:15:11 +00:00
8f44c9a413
The lower level nl80211 code in cfg80211 ensures that "len" is between
25 and NL80211_ATTR_FRAME (2304). We subtract DOT11_MGMT_HDR_LEN (24) from
"len" so thats's max of 2280. However, the action_frame->data[] buffer is
only BRCMF_FIL_ACTION_FRAME_SIZE (1800) bytes long so this memcpy() can
overflow.
memcpy(action_frame->data, &buf[DOT11_MGMT_HDR_LEN],
le16_to_cpu(action_frame->len));
Cc: stable@vger.kernel.org # 3.9.x
Fixes:
|
||
---|---|---|
.. | ||
admtek | ||
ath | ||
atmel | ||
broadcom | ||
cisco | ||
intel | ||
intersil | ||
marvell | ||
mediatek | ||
quantenna | ||
ralink | ||
realtek | ||
rsi | ||
st | ||
ti | ||
zydas | ||
Kconfig | ||
mac80211_hwsim.c | ||
mac80211_hwsim.h | ||
Makefile | ||
ray_cs.c | ||
ray_cs.h | ||
rayctl.h | ||
rndis_wlan.c | ||
wl3501.h | ||
wl3501_cs.c |