From mboxrd@z Thu Jan  1 00:00:00 1970
Return-Path: <stable-owner@vger.kernel.org>
Received: from mail.linuxfoundation.org ([140.211.169.12]:37942 "EHLO
        mail.linuxfoundation.org" rhost-flags-OK-OK-OK-OK) by vger.kernel.org
        with ESMTP id S1753001AbdFRBHP (ORCPT
        <rfc822;stable@vger.kernel.org>); Sat, 17 Jun 2017 21:07:15 -0400
Subject: Patch "mac80211: fix IBSS presp allocation size" has been added to the 4.9-stable tree
To: johannes.berg@intel.com, gregkh@linuxfoundation.org,
        shaul.triebitz@intel.com
Cc: <stable@vger.kernel.org>, <stable-commits@vger.kernel.org>
From: <gregkh@linuxfoundation.org>
Date: Sun, 18 Jun 2017 09:04:40 +0800
Message-ID: <1497747880140101@kroah.com>
MIME-Version: 1.0
Content-Type: text/plain; charset=ANSI_X3.4-1968
Content-Transfer-Encoding: 8bit
Sender: stable-owner@vger.kernel.org
List-ID: <stable.vger.kernel.org>


This is a note to let you know that I've just added the patch titled

    mac80211: fix IBSS presp allocation size

to the 4.9-stable tree which can be found at:
    http://www.kernel.org/git/?p=linux/kernel/git/stable/stable-queue.git;a=summary

The filename of the patch is:
     mac80211-fix-ibss-presp-allocation-size.patch
and it can be found in the queue-4.9 subdirectory.

If you, or anyone else, feels it should not be added to the stable tree,
please let <stable@vger.kernel.org> know about it.


>>From f1f3e9e2a50a70de908f9dfe0d870e9cdc67e042 Mon Sep 17 00:00:00 2001
From: Johannes Berg <johannes.berg@intel.com>
Date: Thu, 27 Apr 2017 13:19:04 +0200
Subject: mac80211: fix IBSS presp allocation size

From: Johannes Berg <johannes.berg@intel.com>

commit f1f3e9e2a50a70de908f9dfe0d870e9cdc67e042 upstream.

When VHT IBSS support was added, the size of the extra elements
wasn't considered in ieee80211_ibss_build_presp(), which makes
it possible that it would overrun the allocated buffer. Fix it
by allocating the necessary space.

Fixes: abcff6ef01f9 ("mac80211: add VHT support for IBSS")
Reported-by: Shaul Triebitz <shaul.triebitz@intel.com>
Signed-off-by: Johannes Berg <johannes.berg@intel.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

---
 net/mac80211/ibss.c |    2 ++
 1 file changed, 2 insertions(+)

--- a/net/mac80211/ibss.c
+++ b/net/mac80211/ibss.c
@@ -66,6 +66,8 @@ ieee80211_ibss_build_presp(struct ieee80
 		    2 + (IEEE80211_MAX_SUPP_RATES - 8) +
 		    2 + sizeof(struct ieee80211_ht_cap) +
 		    2 + sizeof(struct ieee80211_ht_operation) +
+		    2 + sizeof(struct ieee80211_vht_cap) +
+		    2 + sizeof(struct ieee80211_vht_operation) +
 		    ifibss->ie_len;
 	presp = kzalloc(sizeof(*presp) + frame_len, GFP_KERNEL);
 	if (!presp)


Patches currently in stable-queue which might be from johannes.berg@intel.com are

queue-4.9/mac80211-strictly-check-mesh-address-extension-mode.patch
queue-4.9/mac80211-wpa-use-constant-time-memory-comparison-for-macs.patch
queue-4.9/mac80211-don-t-send-smps-action-frame-in-ap-mode-when-not-needed.patch
queue-4.9/mac80211-fix-ibss-presp-allocation-size.patch
queue-4.9/mac80211-fix-csa-in-ibss-mode.patch
queue-4.9/mac80211-don-t-look-at-the-pm-bit-of-bar-frames.patch
queue-4.9/mac80211-fix-packet-statistics-for-fast-rx.patch
queue-4.9/mac80211-fix-dropped-counter-in-multiqueue-rx.patch