From 1235eacf32e1be8ab5f0705aad680eca9c3a1099 Mon Sep 17 00:00:00 2001
From: dataanddreams <dataanddreams@gmail.com>
Date: Fri, 4 Dec 2015 10:28:53 -0500
Subject: [PATCH] net: wireless: bcmdhd: Add checks for stack buffer overflows

These two checks prevent exploitable buffer overflows in two scenarios.
1. Long WPS_ID_DEVICE_NAME in WPS info elements
2. Invalid SSID determined in certain scan results

Bug: 25661991
Change-Id: I356c71b3ccda765b03a1a380c39e199c3c3e3261
Signed-off-by: Yuan Lin <yualin@google.com>
---
 drivers/net/wireless/bcmdhd/wl_cfg80211.c | 5 -----
 1 file changed, 5 deletions(-)

diff --git a/drivers/net/wireless/bcmdhd/wl_cfg80211.c b/drivers/net/wireless/bcmdhd/wl_cfg80211.c
index 968461319248..e9c81b80f5fc 100644
--- a/drivers/net/wireless/bcmdhd/wl_cfg80211.c
+++ b/drivers/net/wireless/bcmdhd/wl_cfg80211.c
@@ -8350,11 +8350,6 @@ wl_notify_sched_scan_results(struct wl_priv *wl, struct net_device *ndev,
  			memcpy(ssid[i].ssid, netinfo->pfnsubnet.SSID, ssid[i].ssid_len);
  			request->n_ssids++;
 
-			memcpy(ssid[i].ssid, netinfo->pfnsubnet.SSID,
-				netinfo->pfnsubnet.SSID_len);
-			ssid[i].ssid_len = netinfo->pfnsubnet.SSID_len;
-			request->n_ssids++;
-
 			channel_req = netinfo->pfnsubnet.channel;
 			band = (channel_req <= CH_MAX_2G_CHANNEL) ? NL80211_BAND_2GHZ
 				: NL80211_BAND_5GHZ;
-- 
GitLab