Dan Carpenter a898d15095 brcm80211: potential NULL dereference in brcmf_cfg80211_vndr_cmds_dcmd_handler() ... [ Upstream commit e025da3d7aa4770bb1d1b3b0aa7cc4da1744852d ] If "ret_len" is negative then it could lead to a NULL dereference. The "ret_len" value comes from nl80211_vendor_cmd(), if it's negative then we don't allocate the "dcmd_buf" buffer. Then we pass "ret_len" to brcmf_fil_cmd_data_set() where it is cast to a very high u32 value. Most of the functions in that call tree check whether the buffer we pass is NULL but there are at least a couple places which don't such as brcmf_dbg_hex_dump() and brcmf_msgbuf_query_dcmd(). We memcpy() to and from the buffer so it would result in a NULL dereference. The fix is to change the types so that "ret_len" can't be negative. (If we memcpy() zero bytes to NULL, that's a no-op and doesn't cause an issue). Fixes: 1bacb0487d ("brcmfmac: replace cfg80211 testmode with vendor command") Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com> Signed-off-by: Kalle Valo <kvalo@codeaurora.org> Signed-off-by: Sasha Levin <sashal@kernel.org>		2019-06-11 12:23:54 +02:00
..
accessibility
acpi	ACPI / SBS: Fix GPE storm on recent MacBookPro's	2019-04-27 09:33:58 +02:00
amba
android
ata	libata: fix using DMA buffers on stack	2019-05-16 19:44:59 +02:00
atm	atm: he: fix sign-extension overflow on large shift	2019-03-23 08:44:16 +01:00
auxdisplay
base	x86/speculation/mds: Add sysfs reporting for MDS	2019-05-16 19:45:14 +02:00
bcma
block	xsysace: Fix error handling in ace_setup	2019-05-16 19:45:02 +02:00
bluetooth	Revert "Bluetooth: h5: Fix missing dependency on BT_HCIUART_SERDEV"	2018-11-27 16:08:01 +01:00
bus
cdrom	cdrom: Fix race condition in cdrom_sysctl_register	2019-04-27 09:33:52 +02:00
char	ipmi:ssif: compare block number correctly for multi-part return messages	2019-06-11 12:23:39 +02:00
clk	clk: tegra: Fix PLLM programming on Tegra124+ when PMC overrides divider	2019-06-11 12:23:45 +02:00
clocksource	clocksource/drivers/exynos_mct: Clear timer interrupt when shutdown	2019-03-23 08:44:35 +01:00
connector
cpufreq	cpufreq: pxa2xx: remove incorrect __init annotation	2019-03-23 08:44:36 +01:00
cpuidle	cpuidle: big.LITTLE: fix refcount leak	2019-02-20 10:13:09 +01:00
crypto	crypto: vmx - CTR: always increment IV as quadword	2019-06-11 12:23:51 +02:00
dca
devfreq	PM / devfreq: tegra: fix error return code in tegra_devfreq_probe()	2018-11-10 07:41:40 -08:00
dio
dma	dmaengine: tegra: avoid overflow of byte tracking	2019-04-27 09:33:53 +02:00
dma-buf
edac	EDAC, i7core: Fix memleaks and use-after-free on probe and remove	2018-10-10 08:52:06 +02:00
eisa
extcon	extcon: usb-gpio: Don't miss event during suspend/resume	2019-04-03 06:23:18 +02:00
firewire
firmware	efi: stub: define DISABLE_BRANCH_PROFILING for all architectures	2019-04-03 06:23:20 +02:00
fmc
fpga
gpio	gpio: gpio-omap: fix level interrupt idling	2019-04-27 09:33:48 +02:00
gpu	gpu: ipu-v3: dp: fix CSC handling	2019-05-16 19:45:07 +02:00
hid	HID: input: add mapping for keyboard Brightness Up/Down/Toggle keys	2019-05-16 19:45:05 +02:00
hsi
hv	Drivers: hv: vmbus: Return -EINVAL for the sys files for unopened channels	2019-01-13 10:05:27 +01:00
hwmon	hwmon: (lm80) Fix missing unlock on error in set_fan_div()	2019-02-23 09:05:13 +01:00
hwspinlock
hwtracing	intel_th: msu: Fix single mode with IOMMU	2019-06-11 12:23:44 +02:00
i2c	i2c: core-smbus: prevent stack corruption on read I2C_BLOCK_DATA	2019-04-27 09:33:47 +02:00
ide	ide: pmac: add of_node_put()	2018-12-21 14:09:52 +01:00
idle
iio	iio: adc: xilinx: fix potential use-after-free on remove	2019-05-16 19:45:05 +02:00
infiniband	IB/mlx4: Fix race condition between catas error reset and aliasguid flows	2019-04-27 09:33:56 +02:00
input	Input: snvs_pwrkey - initialize necessary driver data before enabling IRQ	2019-05-16 19:45:03 +02:00
iommu	iommu/tegra-smmu: Fix invalid ASID bits on Tegra30/114	2019-06-11 12:23:46 +02:00
ipack
irqchip	irqchip/mmp: Only touch the PJ4 IRQ & FIQ bits on enable/disable	2019-03-23 08:44:27 +01:00
isdn	mISDN: hfcpci: Test both vendor & device ID for Digium HFC4S	2019-04-03 06:23:25 +02:00
leds	leds: lp55xx: fix null deref on firmware load failure	2019-04-27 09:33:51 +02:00
lguest
lightnvm
macintosh	macintosh/via-pmu: Add missing mmio accessors	2018-09-19 22:48:57 +02:00
mailbox
mcb
md	md/raid: raid5 preserve the writeback action after the parity check	2019-06-11 12:23:50 +02:00
media	media: vivid: use vfree() instead of kfree() for dev->bitmap_cap	2019-06-11 12:23:52 +02:00
memory	memory: tegra: Fix integer overflow on tick value calculation	2019-06-11 12:23:46 +02:00
memstick	memstick: Prevent memstick host from getting runtime suspended during card detection	2019-02-20 10:13:09 +01:00
message
mfd	mfd: mc13xxx: Fix a missing check of a register-read failure	2019-03-23 08:44:16 +01:00
misc	misc: vexpress: Off by one in vexpress_syscfg_exec()	2019-02-20 10:13:18 +01:00
mmc	mmc: core: Verify SD bus width	2019-06-11 12:23:54 +02:00
mtd	mtd: rawnand: gpmi: fix MX28 bus master lockup problem	2019-02-20 10:13:17 +01:00
net	brcm80211: potential NULL dereference in brcmf_cfg80211_vndr_cmds_dcmd_handler()	2019-06-11 12:23:54 +02:00
nfc	NFC: nxp-nci: Include unaligned.h instead of access_ok.h	2019-02-20 10:13:20 +01:00
ntb
nubus
nvdimm	libnvdimm/btt: Fix a kmemdup failure check	2019-05-16 19:45:05 +02:00
nvme
nvmem
of	of: add helper to lookup compatible child node	2018-12-01 09:46:35 +01:00
oprofile
parisc
parport	parport_pc: fix find_superio io compare code, should use equal test.	2019-03-23 08:44:37 +01:00
pci	PCI: Mark Atheros AR9462 to avoid bus reset	2019-06-11 12:23:48 +02:00
pcmcia	pcmcia: Implement CLKRUN protocol disabling for Ricoh bridges	2018-11-21 09:27:30 +01:00
perf
phy
pinctrl	pinctrl: meson: meson8b: fix the sdxc_a data 1..3 pins	2019-03-23 08:44:33 +01:00
platform	platform/x86: sony-laptop: Fix unintentional fall-through	2019-05-16 19:45:05 +02:00
pnp
power	power: supply: sysfs: prevent endless uevent loop with CONFIG_POWER_SUPPLY_DEBUG	2019-06-11 12:23:49 +02:00
powercap
pps
ps3
ptp	ptp: check gettime64 return code in PTP_SYS_OFFSET ioctl	2019-02-20 10:13:05 +01:00
pwm	pwm: tiehrpwm: Fix disabling of output of PWMs	2018-09-09 20:04:35 +02:00
rapidio
ras
regulator	regulator: act8865: Fix act8600_sudcdc_voltage_ranges setting	2019-04-27 09:33:53 +02:00
remoteproc
reset
rpmsg
rtc	rtc: da9063: set uie_unsupported when relevant	2019-05-16 19:45:01 +02:00
s390	s390: ctcm: fix ctcm_new_device error return code	2019-05-16 19:45:06 +02:00
sbus	drivers/sbus/char: add of_node_put()	2018-12-21 14:09:52 +01:00
scsi	Revert "scsi: sd: Keep disk read-only when re-reading partition"	2019-06-11 12:23:51 +02:00
sfi
sh
sn
soc	soc/tegra: fuse: Fix illegal free of IO base address	2019-04-27 09:33:52 +02:00
spi	spi: pxa2xx: fix SCR (divisor) calculation	2019-06-11 12:23:54 +02:00
spmi
ssb	ssb: Fix possible NULL pointer dereference in ssb_host_pcmcia_exit	2019-06-11 12:23:53 +02:00
staging	staging: iio: adt7316: fix the dac write calculation	2019-05-16 19:45:02 +02:00
target	scsi: target/iscsi: Avoid iscsit_release_commands_from_conn() deadlock	2019-03-23 08:44:35 +01:00
tc	TC: Set DMA masks for devices	2018-11-21 09:27:36 +01:00
thermal	thermal/int340x_thermal: fix mode setting	2019-04-27 09:33:57 +02:00
thunderbolt
tty	tty/vt: fix write/write race in ioctl(KDSKBSENT) handler	2019-06-11 12:23:37 +02:00
uio	uio: Fix an Oops on load	2018-11-27 16:08:02 +01:00
usb	USB: serial: fix unthrottle races	2019-05-16 19:45:16 +02:00
uwb	uwb: hwa-rc: fix memory leak at probe	2018-10-10 08:52:04 +02:00
vfio	vfio/pci: use correct format characters	2019-05-16 19:45:01 +02:00
vhost	vhost: make sure used idx is seen before log in vhost_add_used_n()	2019-01-13 10:05:28 +01:00
video	fbdev: fix WARNING in __alloc_pages_nodemask bug	2019-06-11 12:23:52 +02:00
virt	drivers/virt/fsl_hypervisor.c: prevent integer overflow in ioctl	2019-05-16 19:45:18 +02:00
virtio
vlynq
vme
w1	USB: w1 ds2490: Fix bug caused by improper use of altsetting array	2019-05-16 19:45:00 +02:00
watchdog
xen	xen: xlate_mmu: add missing header to fix 'W=1' warning	2018-12-17 21:55:11 +01:00
zorro
Kconfig
Makefile