@gmail.com;
> spen...@grsecurity.net
> Subject: Re: question about potential integer truncation in
> mwifiex_set_wapi_ie and mwifiex_set_wps_ie
>
> On Tue, Sep 29, 2015 at 05:21:28PM +0200, PaX Team wrote:
> > hi all,
> >
> > in drivers/net/w
On 30 Sep 2015 at 9:10, James Cameron wrote:
> On Tue, Sep 29, 2015 at 05:21:28PM +0200, PaX Team wrote:
> > hi all,
> >
> > in drivers/net/wireless/mwifiex/sta_ioctl.c the following functions
> >
> > mwifiex_set_wpa_ie_helper
> > mwifiex_set_wapi_ie
> > mwifiex_set_wps_ie
> >
> > c
On Tue, Sep 29, 2015 at 05:21:28PM +0200, PaX Team wrote:
> hi all,
>
> in drivers/net/wireless/mwifiex/sta_ioctl.c the following functions
>
> mwifiex_set_wpa_ie_helper
> mwifiex_set_wapi_ie
> mwifiex_set_wps_ie
>
> can truncate the incoming ie_len argument from u16 to u8 when
hi all,
in drivers/net/wireless/mwifiex/sta_ioctl.c the following functions
mwifiex_set_wpa_ie_helper
mwifiex_set_wapi_ie
mwifiex_set_wps_ie
can truncate the incoming ie_len argument from u16 to u8 when it gets
stored in mwifiex_private.wpa_ie_len, mwifiex_private.wapi_ie
