+ linux-wireless
Zekun Shen <[email protected]> writes:
> Bad header can have large length field which can cause OOB.
> cptr is the last bytes for read, and the eeprom is parsed
> from high to low address. The OOB, triggered by the condition
> length > cptr could cause memory error with a read on
> negative index.
>
> There are some sanity check around length, but it is not
> compared with cptr (the remaining bytes). Here, the
> corrupted/bad EEPROM can cause panic.
>
> I was able to reproduce the crash, but I cannot find the
> log and the reproducer now. After I applied the patch, the
> bug is no longer reproducible.
>
> Signed-off-by: Zekun Shen <[email protected]>
Please resubmit and cc linux-wireless list, otherwise patchwork won't
see the patch and then it will be out of my radar.
--
https://patchwork.kernel.org/project/linux-wireless/list/
https://wireless.wiki.kernel.org/en/developers/documentation/submittingpatches