brcmfmac: add length check in brcmf_cfg80211_escan_handler()
authorArend Van Spriel <arend.vanspriel@broadcom.com>
Tue, 12 Sep 2017 08:47:53 +0000 (10:47 +0200)
committerKalle Valo <kvalo@codeaurora.org>
Wed, 20 Sep 2017 04:46:29 +0000 (07:46 +0300)
commit17df6453d4be17910456e99c5a85025aa1b7a246
treeef84bc921d2e6fda33f14a1c5e3af899674bbc33
parent4c707c04f622a7a8570a8db6389e5a2310b92195
brcmfmac: add length check in brcmf_cfg80211_escan_handler()

Upon handling the firmware notification for scans the length was
checked properly and may result in corrupting kernel heap memory
due to buffer overruns. This fix addresses CVE-2017-0786.

Cc: stable@vger.kernel.org # v4.0.x
Cc: Kevin Cernekee <cernekee@chromium.org>
Reviewed-by: Hante Meuleman <hante.meuleman@broadcom.com>
Reviewed-by: Pieter-Paul Giesberts <pieter-paul.giesberts@broadcom.com>
Reviewed-by: Franky Lin <franky.lin@broadcom.com>
Signed-off-by: Arend van Spriel <arend.vanspriel@broadcom.com>
Signed-off-by: Kalle Valo <kvalo@codeaurora.org>
drivers/net/wireless/broadcom/brcm80211/brcmfmac/cfg80211.c