From: Sasha Levin <sashal@kernel.org>
To: Brian Norris <briannorris@chromium.org>
Cc: Linux Kernel <linux-kernel@vger.kernel.org>,
stable <stable@vger.kernel.org>, Takashi Iwai <tiwai@suse.de>,
Kalle Valo <kvalo@codeaurora.org>,
linux-wireless <linux-wireless@vger.kernel.org>,
"<netdev@vger.kernel.org>" <netdev@vger.kernel.org>
Subject: Re: [PATCH AUTOSEL 4.19 14/60] mwifiex: Abort at too short BSS descriptor element
Date: Wed, 10 Jul 2019 10:51:12 -0400 [thread overview]
Message-ID: <20190710145112.GX10104@sasha-vm> (raw)
In-Reply-To: <CA+ASDXPyGECiq9gZmFj8TU6Gmt2epQtuBqnGqRWad79DJT589w@mail.gmail.com>
On Fri, Jun 28, 2019 at 03:58:49PM -0700, Brian Norris wrote:
>On Wed, Jun 26, 2019 at 5:49 PM Sasha Levin <sashal@kernel.org> wrote:
>>
>> From: Takashi Iwai <tiwai@suse.de>
>>
>> [ Upstream commit 685c9b7750bfacd6fc1db50d86579980593b7869 ]
>>
>> Currently mwifiex_update_bss_desc_with_ie() implicitly assumes that
>> the source descriptor entries contain the enough size for each type
>> and performs copying without checking the source size. This may lead
>> to read over boundary.
>>
>> Fix this by putting the source size check in appropriate places.
>>
>> Signed-off-by: Takashi Iwai <tiwai@suse.de>
>> Signed-off-by: Kalle Valo <kvalo@codeaurora.org>
>> Signed-off-by: Sasha Levin <sashal@kernel.org>
>
>For the record, this fixup is still aiming for 5.2, correcting some
>potential mistakes in this patch:
>
>63d7ef36103d mwifiex: Don't abort on small, spec-compliant vendor IEs
>
>So you might want to hold off a bit, and grab them both.
I see that 63d7ef36103d didn't make it into 5.2, so I'll just drop this
for now.
--
Thanks,
Sasha
next prev parent reply other threads:[~2019-07-10 14:51 UTC|newest]
Thread overview: 12+ messages / expand[flat|nested] mbox.gz Atom feed top
[not found] <20190627003616.20767-1-sashal@kernel.org>
2019-06-27 0:35 ` [PATCH AUTOSEL 4.19 06/60] mac80211: fix rate reporting inside cfg80211_calculate_bitrate_he() Sasha Levin
2019-06-27 0:35 ` [PATCH AUTOSEL 4.19 11/60] mac80211: mesh: fix RCU warning Sasha Levin
2019-06-27 0:35 ` [PATCH AUTOSEL 4.19 12/60] mac80211: free peer keys before vif down in mesh Sasha Levin
2019-06-27 0:35 ` [PATCH AUTOSEL 4.19 13/60] mwifiex: Fix possible buffer overflows at parsing bss descriptor Sasha Levin
2019-06-27 0:35 ` [PATCH AUTOSEL 4.19 14/60] mwifiex: Abort at too short BSS descriptor element Sasha Levin
2019-06-28 22:58 ` Brian Norris
2019-07-10 14:51 ` Sasha Levin [this message]
2019-07-10 21:12 ` Brian Norris
2019-06-27 0:35 ` [PATCH AUTOSEL 4.19 15/60] iwlwifi: Fix double-free problems in iwl_req_fw_callback() Sasha Levin
2019-06-27 0:35 ` [PATCH AUTOSEL 4.19 16/60] mwifiex: Fix heap overflow in mwifiex_uap_parse_tail_ies() Sasha Levin
2019-06-27 0:35 ` [PATCH AUTOSEL 4.19 40/60] mac80211: only warn once on chanctx_conf being NULL Sasha Levin
2019-06-27 0:35 ` [PATCH AUTOSEL 4.19 41/60] mac80211: do not start any work during reconfigure flow Sasha Levin
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20190710145112.GX10104@sasha-vm \
--to=sashal@kernel.org \
--cc=briannorris@chromium.org \
--cc=kvalo@codeaurora.org \
--cc=linux-kernel@vger.kernel.org \
--cc=linux-wireless@vger.kernel.org \
--cc=netdev@vger.kernel.org \
--cc=stable@vger.kernel.org \
--cc=tiwai@suse.de \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox