Google Git
Sign in
android / kernel / common / 5cdd9e0e7ee99caf59ad54fa833eeb6033386875
commit5cdd9e0e7ee99caf59ad54fa833eeb6033386875[log] [tgz]
authorWen Huang <huangwenabc@gmail.com>Thu Nov 28 18:51:04 2019 +0800
committerGreg Kroah-Hartman <gregkh@linuxfoundation.org>Wed Jan 29 15:02:39 2020 +0100
tree4f6d233ea497524be8aadf185d5d2a480b6e467c
parent308856261df4828afbe00abbb7b226ec80555479 [diff]
libertas: Fix two buffer overflows at parsing bss descriptor

commit e5e884b42639c74b5b57dc277909915c0aefc8bb upstream.

add_ie_rates() copys rates without checking the length
in bss descriptor from remote AP.when victim connects to
remote attacker, this may trigger buffer overflow.
lbs_ibss_join_existing() copys rates without checking the length
in bss descriptor from remote IBSS node.when victim connects to
remote attacker, this may trigger buffer overflow.
Fix them by putting the length check before performing copy.

This fix addresses CVE-2019-14896 and CVE-2019-14897.
This also fix build warning of mixed declarations and code.

Reported-by: kbuild test robot <lkp@intel.com>
Signed-off-by: Wen Huang <huangwenabc@gmail.com>
Signed-off-by: Kalle Valo <kvalo@codeaurora.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
1 file changed
tree: 4f6d233ea497524be8aadf185d5d2a480b6e467c
  1. arch/
  2. block/
  3. certs/
  4. crypto/
  5. Documentation/
  6. drivers/
  7. firmware/
  8. fs/
  9. include/
  10. init/
  11. ipc/
  12. kernel/
  13. lib/
  14. mm/
  15. net/
  16. samples/
  17. scripts/
  18. security/
  19. sound/
  20. tools/
  21. usr/
  22. virt/
  23. .cocciconfig
  24. .get_maintainer.ignore
  25. .gitattributes
  26. .gitignore
  27. .mailmap
  28. COPYING
  29. CREDITS
  30. Kbuild
  31. Kconfig
  32. MAINTAINERS
  33. Makefile
  34. README