diff options
author | Luciano Coelho <coelho@ti.com> | 2013-02-12 20:11:38 +0200 |
---|---|---|
committer | Johannes Berg <johannes.berg@intel.com> | 2013-02-13 10:14:17 +0100 |
commit | 6719429dd61cde1fe30d9644d0aa2369eefc9005 (patch) | |
tree | 5318edf7523b03cb3c34f2824985dc246231a053 /security/integrity | |
parent | bb92d19983a4b54be3e3b83441a8076d92cd04bc (diff) | |
download | blackbird-op-linux-6719429dd61cde1fe30d9644d0aa2369eefc9005.tar.gz blackbird-op-linux-6719429dd61cde1fe30d9644d0aa2369eefc9005.zip |
cfg80211: check vendor IE length to avoid overrun
cfg80211_find_vendor_ie() was checking only that the vendor IE would
fit in the remaining IEs buffer. If a corrupt includes a vendor IE
that is too small, we could potentially overrun the IEs buffer.
Fix this by checking that the vendor IE fits in the reported IE length
field and skip it otherwise.
Reported-by: Jouni Malinen <j@w1.fi>
Signed-off-by: Luciano Coelho <coelho@ti.com>
[change BUILD_BUG_ON to != 1 (from >= 2)]
Signed-off-by: Johannes Berg <johannes.berg@intel.com>
Diffstat (limited to 'security/integrity')
0 files changed, 0 insertions, 0 deletions