BACKPORT: FROMGIT: mwifiex: Fix possible buffer overflows at parsing bss descriptor
mwifiex_update_bss_desc_with_ie() calls memcpy() unconditionally in
a couple places without checking the destination size. Since the
source is given from user-space, this may trigger a heap buffer
overflow.
Fix it by putting the length check before performing memcpy().
This fix addresses CVE-2019-3846.
Reported-by: huangwen <huangwen@venustech.com.cn>
Signed-off-by: Takashi Iwai <tiwai@suse.de>
Signed-off-by: Kalle Valo <kvalo@codeaurora.org>
(cherry picked from commit 13ec7f10b87f5fc04c4ccbd491c94c7980236a74
git://git.kernel.org/pub/scm/linux/kernel/git/davem/net.git master)
BUG=chromium:972354
TEST=Wireless tests
Change-Id: I2698cc3a7cec63d35133c8aa6301babdbb259c27
[groeck: Applied to wireless, wireless-3.8, and wireless-4.2]
Signed-off-by: Guenter Roeck <groeck@chromium.org>
(cherry picked from commit e1af382c1adfa16dee543bd06daaab4bb9b0edfd)
Reviewed-on: https://chromium-review.googlesource.com/c/chromiumos/third_party/kernel/+/1658753
Legacy-Commit-Queue: Commit Bot <commit-bot@chromium.org>
Reviewed-by: Brian Norris <briannorris@chromium.org>
(cherry picked from commit fcfcb2d423078d17f03a29ebabf8bb2a88fe7221)
Reviewed-on: https://chromium-review.googlesource.com/c/chromiumos/third_party/kernel/+/1665390
3 files changed
