-
Wen Huang authored
add_ie_rates() copys rates without checking the length in bss descriptor from remote AP.when victim connects to remote attacker, this may trigger buffer overflow. lbs_ibss_join_existing() copys rates without checking the length in bss descriptor from remote IBSS node.when victim connects to remote attacker, this may trigger buffer overflow. Fix them by putting the length check before performing copy. This fix addresses CVE-2019-14896 and CVE-2019-14897. Signed-off-by:
Wen Huang <huangwenabc@gmail.com> CVE-2019-14896 CVE-2019-14897 (backported from https://patchwork.kernel.org/patch/11257187/) [smb: drop marvell subdirectory from path] Signed-off-by:
Stefan Bader <stefan.bader@canonical.com> Acked-by:
Kleber Sacilotto de Souza <kleber.souza@canonical.com> Acked-by:
Andrea Righi <andrea.righi@canonical.com> Signed-off-by:
f41dbb3e
