Home Home > GIT Browse > stable
summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorTakashi Iwai <tiwai@suse.de>2019-04-17 12:22:56 +0200
committerTakashi Iwai <tiwai@suse.de>2019-04-17 12:22:58 +0200
commit4835ec05cd8c529daf829c32d39f5954c558e813 (patch)
tree1ac85f195fac67dd3c4ee0782b8b1235aeee0e09
parentfbb3535cb9b16eec67686289e5e6eff036b498cf (diff)
brcmfmac: assure SSID length from firmware is limitedstable
(CVE-2019-9500,bsc#1132681).
-rw-r--r--patches.suse/brcmfmac-assure-SSID-length-from-firmware-is-limited.patch38
-rw-r--r--series.conf1
2 files changed, 39 insertions, 0 deletions
diff --git a/patches.suse/brcmfmac-assure-SSID-length-from-firmware-is-limited.patch b/patches.suse/brcmfmac-assure-SSID-length-from-firmware-is-limited.patch
new file mode 100644
index 0000000000..c650b40b54
--- /dev/null
+++ b/patches.suse/brcmfmac-assure-SSID-length-from-firmware-is-limited.patch
@@ -0,0 +1,38 @@
+From 1b5e2423164b3670e8bc9174e4762d297990deff Mon Sep 17 00:00:00 2001
+From: Arend van Spriel <arend.vanspriel@broadcom.com>
+Date: Thu, 14 Feb 2019 13:43:47 +0100
+Subject: [PATCH] brcmfmac: assure SSID length from firmware is limited
+Git-commit: 1b5e2423164b3670e8bc9174e4762d297990deff
+Patch-mainline: v5.1-rc1
+References: CVE-2019-9500,bsc#1132681
+
+The SSID length as received from firmware should not exceed
+IEEE80211_MAX_SSID_LEN as that would result in heap overflow.
+
+Reviewed-by: Hante Meuleman <hante.meuleman@broadcom.com>
+Reviewed-by: Pieter-Paul Giesberts <pieter-paul.giesberts@broadcom.com>
+Reviewed-by: Franky Lin <franky.lin@broadcom.com>
+Signed-off-by: Arend van Spriel <arend.vanspriel@broadcom.com>
+Signed-off-by: Kalle Valo <kvalo@codeaurora.org>
+Acked-by: Takashi Iwai <tiwai@suse.de>
+
+---
+ drivers/net/wireless/broadcom/brcm80211/brcmfmac/cfg80211.c | 2 ++
+ 1 file changed, 2 insertions(+)
+
+diff --git a/drivers/net/wireless/broadcom/brcm80211/brcmfmac/cfg80211.c b/drivers/net/wireless/broadcom/brcm80211/brcmfmac/cfg80211.c
+index b5e291ed9496..012275fc3bf7 100644
+--- a/drivers/net/wireless/broadcom/brcm80211/brcmfmac/cfg80211.c
++++ b/drivers/net/wireless/broadcom/brcm80211/brcmfmac/cfg80211.c
+@@ -3507,6 +3507,8 @@ brcmf_wowl_nd_results(struct brcmf_if *ifp, const struct brcmf_event_msg *e,
+ }
+
+ netinfo = brcmf_get_netinfo_array(pfn_result);
++ if (netinfo->SSID_len > IEEE80211_MAX_SSID_LEN)
++ netinfo->SSID_len = IEEE80211_MAX_SSID_LEN;
+ memcpy(cfg->wowl.nd->ssid.ssid, netinfo->SSID, netinfo->SSID_len);
+ cfg->wowl.nd->ssid.ssid_len = netinfo->SSID_len;
+ cfg->wowl.nd->n_channels = 1;
+--
+2.16.4
+
diff --git a/series.conf b/series.conf
index 07bfc22524..8b985bed9d 100644
--- a/series.conf
+++ b/series.conf
@@ -1228,6 +1228,7 @@
########################################################
patches.suse/b43-missing-firmware-info.patch
patches.suse/brcmfmac-add-subtype-check-for-event-handling-in-dat.patch
+ patches.suse/brcmfmac-assure-SSID-length-from-firmware-is-limited.patch
########################################################
# ISDN