• Ganapathi Bhat's avatar
    mwifiex: fix possible heap overflow in mwifiex_process_country_ie() · 3d94a4a8
    Ganapathi Bhat authored
    mwifiex_process_country_ie() function parse elements of bss
    descriptor in beacon packet. When processing WLAN_EID_COUNTRY
    element, there is no upper limit check for country_ie_len before
    calling memcpy. The destination buffer domain_info->triplet is an
    array of length MWIFIEX_MAX_TRIPLET_802_11D(83). The remote
    attacker can build a fake AP with the same ssid as real AP, and
    send malicous beacon packet with long WLAN_EID_COUNTRY elemen
    (country_ie_len > 83). Attacker can  force STA connect to fake AP
    on a different channel. When the victim STA connects to fake AP,
    will trigger the heap buffer overflow. Fix this by checking for
    length and if found invalid, don not connect to the AP.
    
    This fix addresses CVE-2019-14895.
    Reported-by: default avatarhuangwen <huangwenabc@gmail.com>
    Signed-off-by: default avatarGanapathi Bhat <gbhat@marvell.com>
    Signed-off-by: default avatarKalle Valo <kvalo@codeaurora.org>
    3d94a4a8
sta_ioctl.c 39.9 KB