On Mon, Feb 10, 2020 at 12:02:33PM -0600, Larry Finger wrote:
In routine wpa_supplicant_ioctl(), the user-controlled p->length is
checked to be at least the size of struct ieee_param size, but the code
does not detect the case where p->length is greater than the size
of the struct, thus a malicious user could be wasting kernel memory.
Fixes commit 554c0a3abf216 ("staging: Add rtl8723bs sdio wifi driver").
Reported by: Pietro Oliva [off-list ref]
Cc: Pietro Oliva <redacted>
Cc: Stable <redacted>
Fixes: 554c0a3abf216 ("staging: Add rtl8723bs sdio wifi driver").
Signed-off-by: Larry Finger <redacted>
-# Please enter the commit message for your changes. Lines starting
---
Funny line :)
I'll go edit it...
thanks,
greg k-h