Commit e5e884b4 authored 5 years ago by Wen Huang Committed by Kalle Valo 5 years ago

libertas: Fix two buffer overflows at parsing bss descriptor


add_ie_rates() copys rates without checking the length
in bss descriptor from remote AP.when victim connects to
remote attacker, this may trigger buffer overflow.
lbs_ibss_join_existing() copys rates without checking the length
in bss descriptor from remote IBSS node.when victim connects to
remote attacker, this may trigger buffer overflow.
Fix them by putting the length check before performing copy.

This fix addresses CVE-2019-14896 and CVE-2019-14897.
This also fix build warning of mixed declarations and code.

Reported-by: kbuild test robot <lkp@intel.com>
Signed-off-by: Wen Huang <huangwenabc@gmail.com>
Signed-off-by: Kalle Valo <kvalo@codeaurora.org>

parent b43e36d7

No related branches found

No related tags found

Hide whitespace changes

Inline Side-by-side

Showing with 13 additions and 3 deletions

Frieder Schrempf @fschrempf
mentioned in commit 783c9628
· 5 years ago

mentioned in commit 783c9628

mentioned in commit 783c96281bce4b38bb51e8c24b27b5dc4fdb3a51

Toggle commit list
Frieder Schrempf @fschrempf
mentioned in commit a5efc7dd
· 5 years ago

mentioned in commit a5efc7dd

mentioned in commit a5efc7dd242eb1086de3b02077e29657e4577e76

Toggle commit list
Frieder Schrempf @fschrempf
mentioned in commit ae7f404d
· 5 years ago

mentioned in commit ae7f404d

mentioned in commit ae7f404d922747e9e97679d5bbde51e0a72693ca

Toggle commit list
Frieder Schrempf @fschrempf
mentioned in commit 61087dce
· 5 years ago

mentioned in commit 61087dce

mentioned in commit 61087dce64a53f13b8cc162032f25ef80f50b15c

Toggle commit list

Please register or to comment