refs/tags/ASB-2017-11-06_3.18-n-release - kernel/common

tag	fb4af280ef6ba5288720b4fd14d8831e2a673fae
tagger	Todd Kjos <tkjos@google.com>	Tue Nov 07 14:48:47 2017 -0800
object	996bacc82e42d2928bcc4bd997a08a44d782410d

https://source.android.com/security/bulletin/2017-11-01
CVE-2017-9077
CVE-2017-7541

commit	996bacc82e42d2928bcc4bd997a08a44d782410d	[log] [tgz]
author	Arend van Spriel <arend.vanspriel@broadcom.com>	Fri Jul 07 21:09:06 2017 +0100
committer	Todd Kjos <tkjos@google.com>	Tue Nov 07 13:58:19 2017 -0800
tree	7c0d4ffe538523db8081508fd8cb4c78620ce3d0
parent	ff58ca028d69efd26dd1c6c9c1a97de07362d3c0 [diff]

brcmfmac: fix possible buffer overflow in brcmf_cfg80211_mgmt_tx()

commit 8f44c9a41386729fea410e688959ddaa9d51be7c upstream.

The lower level nl80211 code in cfg80211 ensures that "len" is between
25 and NL80211_ATTR_FRAME (2304).  We subtract DOT11_MGMT_HDR_LEN (24) from
"len" so thats's max of 2280.  However, the action_frame->data[] buffer is
only BRCMF_FIL_ACTION_FRAME_SIZE (1800) bytes long so this memcpy() can
overflow.

	memcpy(action_frame->data, &buf[DOT11_MGMT_HDR_LEN],
	       le16_to_cpu(action_frame->len));

Fixes: 18e2f61db3b70 ("brcmfmac: P2P action frame tx.")
Reported-by: "freenerguo(郭大兴)" <freenerguo@tencent.com>
Signed-off-by: Arend van Spriel <arend.vanspriel@broadcom.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

drivers/net/wireless/brcm80211/brcmfmac/wl_cfg80211.c[diff]

1 file changed

tree: 7c0d4ffe538523db8081508fd8cb4c78620ce3d0