linux/drivers/staging/wlan-ng
Qiujun Huang 1165dd73e8 staging: wlan-ng: fix use-after-free Read in hfa384x_usbin_callback
We can't handle the case length > WLAN_DATA_MAXLEN.
Because the size of rxfrm->data is WLAN_DATA_MAXLEN(2312), and we can't
read more than that.

Thanks-to: Hillf Danton <hdanton@sina.com>
Reported-and-tested-by: syzbot+7d42d68643a35f71ac8a@syzkaller.appspotmail.com
Signed-off-by: Qiujun Huang <hqjagain@gmail.com>
Cc: stable <stable@vger.kernel.org>
Link: https://lore.kernel.org/r/20200326131850.17711-1-hqjagain@gmail.com
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
2020-03-26 15:47:26 +01:00
..
Kconfig staging/wlan-ng: add CRC32 dependency in Kconfig 2019-12-10 10:56:54 +01:00
Makefile License cleanup: add SPDX GPL-2.0 license identifier to files with no license 2017-11-02 11:10:55 +01:00
README
cfg80211.c staging: wlan-ng: fix exit return when sme->key_idx >= NUM_WEPKEYS 2019-10-14 15:40:08 +02:00
hfa384x.h staging: Replace zero-length array with flexible-array member 2020-02-23 19:18:54 +01:00
hfa384x_usb.c staging: wlan-ng: fix use-after-free Read in hfa384x_usbin_callback 2020-03-26 15:47:26 +01:00
p80211conv.c staging: wlan-ng: Replace long int with long 2018-10-19 21:10:45 +02:00
p80211conv.h staging: wlan-ng: convert P80211SKB_RXMETA to inline function in p80211conv 2018-05-25 18:44:14 +02:00
p80211hdr.h staging: wlan-ng: replace WLAN_CTL_FRAMELEN with inline function in p80211hdr.h 2018-06-28 22:12:50 +09:00
p80211ioctl.h staging: wlan-ng: fix SPDX comment style in headers 2018-05-06 18:52:37 -07:00
p80211metadef.h staging: wlan-ng: remove "autogenerated code" comments 2018-09-28 14:43:52 +02:00
p80211metastruct.h staging: wlan-ng: remove "autogenerated code" comments 2018-09-28 14:43:52 +02:00
p80211mgmt.h staging: wlan-ng: fix SPDX comment style in headers 2018-05-06 18:52:37 -07:00
p80211msg.h staging: wlan-ng: fix SPDX comment style in headers 2018-05-06 18:52:37 -07:00
p80211netdev.c netdev: pass the stuck queue to the timeout handler 2019-12-12 21:38:57 -08:00
p80211netdev.h staging: wlan-ng: fix coding style issues in p80211netdev.h 2018-05-20 14:34:25 +02:00
p80211req.c staging: wlan-ng: make switch case block format consistent 2018-09-28 14:43:52 +02:00
p80211req.h staging: wlan-ng: fix SPDX comment style in headers 2018-05-06 18:52:37 -07:00
p80211types.h staging: Replace zero-length array with flexible-array member 2020-02-23 19:18:54 +01:00
p80211wep.c staging: wlan-ng: p80211wep.c: use lib/crc32 2019-10-07 12:32:43 +02:00
prism2fw.c staging: wlan-ng: prism2fw.c: Fix "Possible unnecessary 'out of memory' message" checkpatch.pl warning" 2019-01-07 08:56:07 +01:00
prism2mgmt.c staging: wlan-ng: ensure error return is actually returned 2020-01-15 13:11:41 +01:00
prism2mgmt.h staging: wlan-ng: fix SPDX comment style in headers 2018-05-06 18:52:37 -07:00
prism2mib.c staging: wlan-ng: Remove function prism2mib_excludeunencrypted() 2019-08-02 13:55:38 +02:00
prism2sta.c staging: wlan-ng: use "%*pE" for serial number 2019-07-22 07:34:12 +02:00
prism2usb.c staging: wlan-ng: fix ODEBUG bug in prism2sta_disconnect_usb 2020-03-25 13:40:14 +01:00

README

TODO:
	- checkpatch.pl cleanups
	- sparse warnings
	- move to use the in-kernel wireless stack

Please send any patches or complaints about this driver to Greg
Kroah-Hartman <greg@kroah.com> and don't bother the upstream wireless
kernel developers about it, they want nothing to do with it.