libertas: Fix two buffer overflows at parsing bss descriptor
add_ie_rates() copys rates without checking the length in bss descriptor from remote AP.when victim connects to remote attacker, this may trigger buffer overflow. lbs_ibss_join_existing() copys rates without checking the length in bss descriptor from remote IBSS node.when victim connects to remote attacker, this may trigger buffer overflow. Fix them by putting the length check before performing copy. This fix addresses CVE-2019-14896 and CVE-2019-14897. This also fix build warning of mixed declarations and code. Reported-by: kbuild test robot <lkp@intel.com> Signed-off-by: Wen Huang <huangwenabc@gmail.com> Signed-off-by: Kalle Valo <kvalo@codeaurora.org>
parent
b43e36d7
-
mentioned in commit 5cdd9e0e
-
mentioned in commit 4d7f4d38
-
mentioned in commit b5e6f199
-
mentioned in commit a5efc7dd
-
mentioned in commit 783c9628
-
mentioned in commit 1de085c8
-
mentioned in commit 8ffeb211
-
mentioned in commit 03b4aeda
-
mentioned in commit 7bd751f1
-
mentioned in commit 9d68062d
-
mentioned in commit 88c38166
-
mentioned in commit ae7f404d
-
mentioned in commit 61087dce
-
mentioned in commit 847e6a76
-
mentioned in commit 36f44151
Please register or sign in to comment