1. 28 Nov, 2019 1 commit
    • Ganapathi Bhat's avatar
      mwifiex: fix possible heap overflow in mwifiex_process_country_ie() · 3d94a4a8
      Ganapathi Bhat authored
      mwifiex_process_country_ie() function parse elements of bss
      descriptor in beacon packet. When processing WLAN_EID_COUNTRY
      element, there is no upper limit check for country_ie_len before
      calling memcpy. The destination buffer domain_info->triplet is an
      array of length MWIFIEX_MAX_TRIPLET_802_11D(83). The remote
      attacker can build a fake AP with the same ssid as real AP, and
      send malicous beacon packet with long WLAN_EID_COUNTRY elemen
      (country_ie_len > 83). Attacker can  force STA connect to fake AP
      on a different channel. When the victim STA connects to fake AP,
      will trigger the heap buffer overflow. Fix this by checking for
      length and if found invalid, don not connect to the AP.
      
      This fix addresses CVE-2019-14895.
      Reported-by: default avatarhuangwen <huangwenabc@gmail.com>
      Signed-off-by: default avatarGanapathi Bhat <gbhat@marvell.com>
      Signed-off-by: default avatarKalle Valo <kvalo@codeaurora.org>
      3d94a4a8
  2. 24 Nov, 2019 4 commits
  3. 23 Nov, 2019 23 commits
  4. 22 Nov, 2019 12 commits