mwifiex: Fix three heap overflow at parsing element in cfg80211_ap_settings
authorWen Huang <huangwenabc@gmail.com>
Wed, 28 Aug 2019 02:07:51 +0000 (10:07 +0800)
committerGreg Kroah-Hartman <gregkh@linuxfoundation.org>
Sat, 21 Sep 2019 05:16:45 +0000 (07:16 +0200)
commit941431c491a68e0428bdfb46bbe4cbc52f7bfabb
treeb4c03110a7dff5991063dd9f46fc9dd2b31cbf24
parent770cee245191e1ad905942629ea987af5d02f584
mwifiex: Fix three heap overflow at parsing element in cfg80211_ap_settings

commit 7caac62ed598a196d6ddf8d9c121e12e082cac3a upstream.

mwifiex_update_vs_ie(),mwifiex_set_uap_rates() and
mwifiex_set_wmm_params() call memcpy() without checking
the destination size.Since the source is given from
user-space, this may trigger a heap buffer overflow.

Fix them by putting the length check before performing memcpy().

This fix addresses CVE-2019-14814,CVE-2019-14815,CVE-2019-14816.

Signed-off-by: Wen Huang <huangwenabc@gmail.com>
Acked-by: Ganapathi Bhat <gbhat@marvell.comg>
Signed-off-by: Kalle Valo <kvalo@codeaurora.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
drivers/net/wireless/marvell/mwifiex/ie.c
drivers/net/wireless/marvell/mwifiex/uap_cmd.c