BACKPORT: FROMGIT: mwifiex: Fix possible buffer overflows at parsing bss descriptor
mwifiex_update_bss_desc_with_ie() calls memcpy() unconditionally in
a couple places without checking the destination size. Since the
source is given from user-space, this may trigger a heap buffer
overflow.
Fix it by putting the length check before performing memcpy().
This fix addresses CVE-2019-3846.
Reported-by: huangwen <huangwen@venustech.com.cn>
Signed-off-by: Takashi Iwai <tiwai@suse.de>
Signed-off-by: Kalle Valo <kvalo@codeaurora.org>
(cherry picked from commit 13ec7f10b87f5fc04c4ccbd491c94c7980236a74
git://git.kernel.org/pub/scm/linux/kernel/git/davem/net.git master)
BUG=chromium:972354
TEST=Wireless tests
Change-Id: I2698cc3a7cec63d35133c8aa6301babdbb259c27
[groeck: Applied to wireless and wireless-3.8]
Signed-off-by: Guenter Roeck <groeck@chromium.org>
(cherry picked from commit 2f41e8012e40dd913627180af5a5eafcafc341a1)
Reviewed-on: https://chromium-review.googlesource.com/c/chromiumos/third_party/kernel/+/1658674
Legacy-Commit-Queue: Commit Bot <commit-bot@chromium.org>
Reviewed-by: Brian Norris <briannorris@chromium.org>
(cherry picked from commit ba9e83ece52e7927cb71651ca41c698ff1266503)
Reviewed-on: https://chromium-review.googlesource.com/c/chromiumos/third_party/kernel/+/1662083
2 files changed
