refs/tags/ASB-2020-01-05_4.9-q-release - kernel/common

tag	30d1d0523e5472a471cda295c05dc7b2781723ce
tagger	Todd Kjos <tkjos@google.com>	Mon Jan 06 13:45:44 2020 -0800
object	9aa79c175a0019681697a69e81262a5016941fc8

https://source.android.com/security/bulletin/2020-01-01
CVE-2019-17666
CVE-2018-20856
CVE-2019-11599
CVE-2019-15214

commit	9aa79c175a0019681697a69e81262a5016941fc8	[log] [tgz]
author	Laura Abbott <labbott@redhat.com>	Fri Oct 18 07:43:21 2019 -0400
committer	Todd Kjos <tkjos@google.com>	Fri Dec 13 17:24:09 2019 -0800
tree	d86b27c7bef450217e8fe272e8ec21f55c29798d
parent	502a526abc2b77975063ab74c9c5446190ea14e9 [diff]

rtlwifi: Fix potential overflow on P2P code

commit 8c55dedb795be8ec0cf488f98c03a1c2176f7fb1 upstream.

Nicolas Waisman noticed that even though noa_len is checked for
a compatible length it's still possible to overrun the buffers
of p2pinfo since there's no check on the upper bound of noa_num.
Bound noa_num against P2P_MAX_NOA_NUM.

Reported-by: Nicolas Waisman <nico@semmle.com>
Signed-off-by: Laura Abbott <labbott@redhat.com>
Acked-by: Ping-Ke Shih <pkshih@realtek.com>
Signed-off-by: Kalle Valo <kvalo@codeaurora.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

drivers/net/wireless/realtek/rtlwifi/ps.c[diff]

1 file changed