Commit 589e4738 authored Apr 7, 2017 by Insun Song Committed by Stuart Scott Jun 7, 2017

net: wireless: bcmdhd: additional length check for BRCM EVENT frame.


This is just for exceptional case where user has updated kernel to the
latest, but still used non-patched firmware. The non-patched firmware
could deliver ETHER_TYPE_BRCM packet to host.

If attacker inject packet with its header length forged, it could bypass
current host driver's length check routine and cause memory corruption.

Proposed fix is enhancing length check to validate its header length.

Change-Id: I90fc5101bddfd1d427e0a52758ddf8bc16577555
Bug: 37168488
Signed-off-by: Insun Song <insun.song@broadcom.com>

parent dc9f6a22

No related branches found

No related tags found

No related merge requests found

Show whitespace changes

Inline Side-by-side

Showing with 18 additions and 10 deletions

Please register or to comment