Return-Path: Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1753931AbdFSPcm (ORCPT ); Mon, 19 Jun 2017 11:32:42 -0400 Received: from mail.linuxfoundation.org ([140.211.169.12]:44092 "EHLO mail.linuxfoundation.org" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1751108AbdFSPcj (ORCPT ); Mon, 19 Jun 2017 11:32:39 -0400 From: Greg Kroah-Hartman To: linux-kernel@vger.kernel.org Cc: Greg Kroah-Hartman , stable@vger.kernel.org, Shaul Triebitz , Johannes Berg Subject: [PATCH 4.4 08/30] mac80211: fix IBSS presp allocation size Date: Mon, 19 Jun 2017 23:20:42 +0800 Message-Id: <20170619152033.655385921@linuxfoundation.org> X-Mailer: git-send-email 2.13.1 In-Reply-To: <20170619152033.211450261@linuxfoundation.org> References: <20170619152033.211450261@linuxfoundation.org> User-Agent: quilt/0.65 MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Sender: linux-kernel-owner@vger.kernel.org List-ID: X-Mailing-List: linux-kernel@vger.kernel.org Content-Length: 1177 Lines: 34 4.4-stable review patch. If anyone has any objections, please let me know. ------------------ From: Johannes Berg commit f1f3e9e2a50a70de908f9dfe0d870e9cdc67e042 upstream. When VHT IBSS support was added, the size of the extra elements wasn't considered in ieee80211_ibss_build_presp(), which makes it possible that it would overrun the allocated buffer. Fix it by allocating the necessary space. Fixes: abcff6ef01f9 ("mac80211: add VHT support for IBSS") Reported-by: Shaul Triebitz Signed-off-by: Johannes Berg Signed-off-by: Greg Kroah-Hartman --- net/mac80211/ibss.c | 2 ++ 1 file changed, 2 insertions(+) --- a/net/mac80211/ibss.c +++ b/net/mac80211/ibss.c @@ -66,6 +66,8 @@ ieee80211_ibss_build_presp(struct ieee80 2 + (IEEE80211_MAX_SUPP_RATES - 8) + 2 + sizeof(struct ieee80211_ht_cap) + 2 + sizeof(struct ieee80211_ht_operation) + + 2 + sizeof(struct ieee80211_vht_cap) + + 2 + sizeof(struct ieee80211_vht_operation) + ifibss->ie_len; presp = kzalloc(sizeof(*presp) + frame_len, GFP_KERNEL); if (!presp)