e644fc4ab7
commit 8687bf9ef9551bcf93897e33364d121667b1aadf upstream. Function _rtl92e_wx_set_scan calls memcpy without checking the length. A user could control that length and trigger a buffer overflow. Fix by checking the length is within the maximum allowed size. Reviewed-by: Dan Carpenter <dan.carpenter@oracle.com> Signed-off-by: Lee Gibson <leegib@gmail.com> Cc: stable <stable@vger.kernel.org> Link: https://lore.kernel.org/r/20210226145157.424065-1-leegib@gmail.com Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> |
||
---|---|---|
.. | ||
Kconfig | ||
Makefile | ||
r8190P_def.h | ||
r8190P_rtl8256.c | ||
r8190P_rtl8256.h | ||
r8192E_cmdpkt.c | ||
r8192E_cmdpkt.h | ||
r8192E_dev.c | ||
r8192E_dev.h | ||
r8192E_firmware.c | ||
r8192E_firmware.h | ||
r8192E_hw.h | ||
r8192E_hwimg.c | ||
r8192E_hwimg.h | ||
r8192E_phy.c | ||
r8192E_phy.h | ||
r8192E_phyreg.h | ||
rtl_cam.c | ||
rtl_cam.h | ||
rtl_core.c | ||
rtl_core.h | ||
rtl_dm.c | ||
rtl_dm.h | ||
rtl_eeprom.c | ||
rtl_eeprom.h | ||
rtl_ethtool.c | ||
rtl_pci.c | ||
rtl_pci.h | ||
rtl_pm.c | ||
rtl_pm.h | ||
rtl_ps.c | ||
rtl_ps.h | ||
rtl_wx.c | ||
rtl_wx.h |