201320435d
There are two potential integer overflows in private_ioctl() if userspace passes in a large sList.uItem / sNodeList.uItem. The subsequent call to kmalloc() would allocate a small buffer, leading to a memory corruption. Reported-by: Dan Rosenberg <drosenberg@vsecurity.com> Signed-off-by: Xi Wang <xi.wang@gmail.com> Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de> |
||
---|---|---|
.. | ||
80211hdr.h | ||
80211mgr.c | ||
80211mgr.h | ||
aes_ccmp.c | ||
aes_ccmp.h | ||
baseband.c | ||
baseband.h | ||
bssdb.c | ||
bssdb.h | ||
card.c | ||
card.h | ||
channel.c | ||
channel.h | ||
control.c | ||
control.h | ||
country.h | ||
datarate.c | ||
datarate.h | ||
desc.h | ||
device_cfg.h | ||
device.h | ||
dpc.c | ||
dpc.h | ||
firmware.c | ||
firmware.h | ||
hostap.c | ||
hostap.h | ||
int.c | ||
int.h | ||
iocmd.h | ||
ioctl.c | ||
ioctl.h | ||
iowpa.h | ||
iwctl.c | ||
iwctl.h | ||
Kconfig | ||
key.c | ||
key.h | ||
mac.c | ||
mac.h | ||
main_usb.c | ||
Makefile | ||
mib.c | ||
mib.h | ||
michael.c | ||
michael.h | ||
power.c | ||
power.h | ||
rc4.c | ||
rc4.h | ||
rf.c | ||
rf.h | ||
rndis.h | ||
rxtx.c | ||
rxtx.h | ||
srom.h | ||
tcrc.c | ||
tcrc.h | ||
tether.c | ||
tether.h | ||
tkip.c | ||
tkip.h | ||
tmacro.h | ||
TODO | ||
ttype.h | ||
upc.h | ||
usbpipe.c | ||
usbpipe.h | ||
vntconfiguration.dat | ||
wcmd.c | ||
wcmd.h | ||
wctl.c | ||
wctl.h | ||
wmgr.c | ||
wmgr.h | ||
wpa2.c | ||
wpa2.h | ||
wpa.c | ||
wpa.h | ||
wpactl.c | ||
wpactl.h |