libertas: Fix two buffer overflows at parsing bss descriptor - user/sven/linux.git

diff options

author	Wen Huang <huangwenabc@gmail.com>	2019-11-28 18:51:04 +0800
committer	Greg Kroah-Hartman <gregkh@linuxfoundation.org>	2020-01-29 16:43:24 +0100
commit	cbd56515be5a8ea97134ef762b7a2923b94cb9c4 (patch)
tree	c0f4b28b57627df6ee16d7e0711a5329af5b3408 /include
parent	cb75ab69193287893f4a2d55e29923b67de27d71 (diff)

libertas: Fix two buffer overflows at parsing bss descriptor

commit e5e884b42639c74b5b57dc277909915c0aefc8bb upstream. add_ie_rates() copys rates without checking the length in bss descriptor from remote AP.when victim connects to remote attacker, this may trigger buffer overflow. lbs_ibss_join_existing() copys rates without checking the length in bss descriptor from remote IBSS node.when victim connects to remote attacker, this may trigger buffer overflow. Fix them by putting the length check before performing copy. This fix addresses CVE-2019-14896 and CVE-2019-14897. This also fix build warning of mixed declarations and code. Reported-by: kbuild test robot <lkp@intel.com> Signed-off-by: Wen Huang <huangwenabc@gmail.com> Signed-off-by: Kalle Valo <kvalo@codeaurora.org> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

Diffstat (limited to 'include')

0 files changed, 0 insertions, 0 deletions


context:
space:
mode: