BACKPORT: FROMGIT: mwifiex: Fix possible buffer overflows at parsing bss descriptor
mwifiex_update_bss_desc_with_ie() calls memcpy() unconditionally in
a couple places without checking the destination size. Since the
source is given from user-space, this may trigger a heap buffer
overflow.
Fix it by putting the length check before performing memcpy().
This fix addresses CVE-2019-3846.
Reported-by: huangwen <huangwen@venustech.com.cn>
Signed-off-by: Takashi Iwai <tiwai@suse.de>
Signed-off-by: Kalle Valo <kvalo@codeaurora.org>
(cherry picked from commit 13ec7f10b87f5fc04c4ccbd491c94c7980236a74
git://git.kernel.org/pub/scm/linux/kernel/git/davem/net.git master)
BUG=chromium:972354
TEST=Wireless tests
Change-Id: I2698cc3a7cec63d35133c8aa6301babdbb259c27
[groeck: Applied to wireless and wireless-3.4]
Signed-off-by: Guenter Roeck <groeck@chromium.org>
(cherry picked from commit b16d48a8b4f9b7e2ce3b771a4ff18c3ac3f52587)
Reviewed-on: https://chromium-review.googlesource.com/c/chromiumos/third_party/kernel/+/1658675
Legacy-Commit-Queue: Commit Bot <commit-bot@chromium.org>
Reviewed-by: Brian Norris <briannorris@chromium.org>
(cherry picked from commit ad75e5c1855fb6fedb5f5ad35fb4b7603e50555e)
Reviewed-on: https://chromium-review.googlesource.com/c/chromiumos/third_party/kernel/+/1662084
2 files changed
