From: Kalle Valo <kvalo@codeaurora.org>
To: huangwenabc@gmail.com
Cc: linux-wireless@vger.kernel.org
Subject: Re: [PATCH] libertas: Fix two buffer overflows at parsing bss descriptor
Date: Wed, 18 Dec 2019 18:52:30 +0000 (UTC) [thread overview]
Message-ID: <20191218185230.63104C4479C@smtp.codeaurora.org> (raw)
In-Reply-To: <20191128105104.52920-1-huangwenabc@gmail.com>
huangwenabc@gmail.com wrote:
> From: Wen Huang <huangwenabc@gmail.com>
>
> add_ie_rates() copys rates without checking the length
> in bss descriptor from remote AP.when victim connects to
> remote attacker, this may trigger buffer overflow.
> lbs_ibss_join_existing() copys rates without checking the length
> in bss descriptor from remote IBSS node.when victim connects to
> remote attacker, this may trigger buffer overflow.
> Fix them by putting the length check before performing copy.
>
> This fix addresses CVE-2019-14896 and CVE-2019-14897.
> This also fix build warning of mixed declarations and code.
>
> Reported-by: kbuild test robot <lkp@intel.com>
> Signed-off-by: Wen Huang <huangwenabc@gmail.com>
Patch applied to wireless-drivers.git, thanks.
e5e884b42639 libertas: Fix two buffer overflows at parsing bss descriptor
--
https://patchwork.kernel.org/patch/11265751/
https://wireless.wiki.kernel.org/en/developers/documentation/submittingpatches
next prev parent reply other threads:[~2019-12-18 18:52 UTC|newest]
Thread overview: 14+ messages / expand[flat|nested] mbox.gz Atom feed top
2019-11-28 10:51 [PATCH] libertas: Fix two buffer overflows at parsing bss descriptor huangwenabc
2019-12-18 18:52 ` Kalle Valo [this message]
-- strict thread matches above, loose matches on Subject: below --
2019-11-22 5:29 huangwenabc
2019-11-24 7:52 ` kbuild test robot
2019-11-24 7:52 ` kbuild test robot
2019-11-25 12:36 ` Kalle Valo
2019-11-25 14:29 ` Philip Li
2019-11-27 18:23 ` Guenter Roeck
2019-11-28 1:53 ` Rong Chen
2020-03-24 15:19 ` Kalle Valo
2019-11-25 12:36 ` Kalle Valo
2019-11-28 8:00 ` Kalle Valo
[not found] ` <0101016eb106d678-62ccf480-a650-47f2-87b3-cb5a03deb013-000000@us-west-2.amazonses.com>
[not found] ` <CADt2dQfbnk5WgDk=oeWjE1tziCEem-3fhhA68Pmr_fo0pZ_V=g@mail.gmail.com>
2019-11-28 11:54 ` Kalle Valo
2020-01-09 14:12 ` Nicolai Stange
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20191218185230.63104C4479C@smtp.codeaurora.org \
--to=kvalo@codeaurora.org \
--cc=huangwenabc@gmail.com \
--cc=linux-wireless@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.