libertas: Fix two buffer overflows at parsing bss descriptor - linux - Linux Kernel (branches are rebased on master from time to time)

diff options

author	Wen Huang <huangwenabc@gmail.com>	2019-11-28 18:51:04 +0800
committer	Kalle Valo <kvalo@codeaurora.org>	2019-12-18 20:52:14 +0200
commit	e5e884b42639c74b5b57dc277909915c0aefc8bb (patch)
tree	27fa276969946cf39207ce5fc8a3cea18c381c07 /MAINTAINERS
parent	b43e36d75e8727f78892652a25967a1ffa03d1d1 (diff)
download	linux-e5e884b42639c74b5b57dc277909915c0aefc8bb.tar.bz2

libertas: Fix two buffer overflows at parsing bss descriptor

add_ie_rates() copys rates without checking the length in bss descriptor from remote AP.when victim connects to remote attacker, this may trigger buffer overflow. lbs_ibss_join_existing() copys rates without checking the length in bss descriptor from remote IBSS node.when victim connects to remote attacker, this may trigger buffer overflow. Fix them by putting the length check before performing copy. This fix addresses CVE-2019-14896 and CVE-2019-14897. This also fix build warning of mixed declarations and code. Reported-by: kbuild test robot <lkp@intel.com> Signed-off-by: Wen Huang <huangwenabc@gmail.com> Signed-off-by: Kalle Valo <kvalo@codeaurora.org>

Diffstat (limited to 'MAINTAINERS')

0 files changed, 0 insertions, 0 deletions


context:
space:
mode: