evie/android_kernel_oneplus_msm8998
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions
android_kernel_oneplus_msm8998/drivers/net/wireless/brcm80211/brcmfmac
History
Arend Van Spriel b82a7f93b4 brcmfmac: avoid potential stack overflow in brcmf_cfg80211_start_ap() 
commit ded89912156b1a47d940a0c954c43afbabd0c42c upstream.

User-space can choose to omit NL80211_ATTR_SSID and only provide raw
IE TLV data. When doing so it can provide SSID IE with length exceeding
the allowed size. The driver further processes this IE copying it
into a local variable without checking the length. Hence stack can be
corrupted and used as exploit.

Reported-by: Daxing Guo <freener.gdx@gmail.com>
Reviewed-by: Hante Meuleman <hante.meuleman@broadcom.com>
Reviewed-by: Pieter-Paul Giesberts <pieter-paul.giesberts@broadcom.com>
Reviewed-by: Franky Lin <franky.lin@broadcom.com>
Signed-off-by: Arend van Spriel <arend.vanspriel@broadcom.com>
Signed-off-by: Kalle Valo <kvalo@codeaurora.org>
Signed-off-by: Juerg Haefliger <juerg.haefliger@hpe.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
2016-10-31 04:13:58 -06:00
..
bcdc.c brcmfmac: change prototype for brcmf_fws_hdrpull() 2015-09-29 10:28:50 +03:00
bcdc.h
bcmsdh.c brcmfmac: Fix glob_skb leak in brcmf_sdiod_recv_chain 2016-10-07 15:23:45 +02:00
btcoex.c brcmfmac: use brcmf_get_ifp() to map ifidx to struct brcmf_if instance 2015-09-29 10:28:40 +03:00
btcoex.h
bus.h brcmfmac: expose device memory to devcoredump subsystem 2015-10-21 10:56:23 +03:00
cfg80211.c brcmfmac: avoid potential stack overflow in brcmf_cfg80211_start_ap() 2016-10-31 04:13:58 -06:00
cfg80211.h brcmfmac: Remove unused state AP creating. 2015-10-21 10:56:51 +03:00
chip.c brcm80211: Add support for brcm4371 2015-10-21 10:57:44 +03:00
chip.h brcmfmac: Reset PCIE devices after recognition. 2015-09-29 10:31:15 +03:00
common.c
common.h brcmfmac: Move brcmf_c_preinit_dcmds prototype to correct file. 2015-10-21 10:56:50 +03:00
commonring.c
commonring.h
core.c brcmfmac: Properly set carrier state of netdev. 2015-10-21 10:56:53 +03:00
core.h brcmfmac: Properly set carrier state of netdev. 2015-10-21 10:56:53 +03:00
debug.c brcmfmac: expose device memory to devcoredump subsystem 2015-10-21 10:56:23 +03:00
debug.h brcmfmac: expose device memory to devcoredump subsystem 2015-10-21 10:56:23 +03:00
feature.c brcmfmac: Add module parameter to disable features. 2015-09-29 10:56:01 +03:00
feature.h
firmware.c brcmfmac: rename firmware_path to alternative_fw_path 2015-10-21 10:56:40 +03:00
firmware.h
flowring.c brcmfmac: use brcmf_get_ifp() to map ifidx to struct brcmf_if instance 2015-09-29 10:28:40 +03:00
flowring.h brcmfmac: Fix bug in flowring management. 2015-09-29 10:55:52 +03:00
fweh.c brcmfmac: Rework p2p attach, use single method for p2p dev creation. 2015-10-21 10:56:45 +03:00
fweh.h brcmfmac: Fix TDLS setup by properly handling p2p noif. 2015-09-29 10:56:06 +03:00
fwil.c
fwil.h brcmfmac: Add dump_station support to cfg80221 ops. 2015-10-21 10:56:49 +03:00
fwil_types.h brcmfmac: Add dump_station support to cfg80221 ops. 2015-10-21 10:56:49 +03:00
fwsignal.c brcmfmac: change prototype for brcmf_fws_hdrpull() 2015-09-29 10:28:50 +03:00
fwsignal.h brcmfmac: change prototype for brcmf_fws_hdrpull() 2015-09-29 10:28:50 +03:00
Makefile
msgbuf.c brcmfmac: remove conversational comment 2015-10-21 10:56:42 +03:00
msgbuf.h
of.c
of.h
p2p.c brcmfmac: Rework p2p attach, use single method for p2p dev creation. 2015-10-21 10:56:45 +03:00
p2p.h brcmfmac: Deleting of p2p device is leaking memory. 2015-09-29 10:55:57 +03:00
pcie.c brcm80211: Add support for brcm4371 2015-10-21 10:57:44 +03:00
pcie.h
proto.c
proto.h brcmfmac: make brcmf_proto_hdrpull() return struct brcmf_if instance 2015-09-29 10:28:30 +03:00
sdio.c brcmfmac: expose device memory to devcoredump subsystem 2015-10-21 10:56:23 +03:00
sdio.h
tracepoint.c
tracepoint.h
usb.c brcmfmac: Fix race condition between USB probe/load and disconnect. 2015-10-21 10:56:39 +03:00
usb.h
vendor.c
vendor.h