From: Zhang Xiaohui
prep_ssp_v3_hw() calls memcpy() without checking the destination
size may trigger a buffer overflower.
buf_cmd should be a ssp_tmf_iu struct through the analysis of
the command below:
buf_cmd = hisi_sas_cmd_hdr_addr_mem(slot) +
sizeof(struct ssp_frame_hdr);
Then buf_
From: Zhang Xiaohui
pkey_protkey_aes_attr_read() calls memcpy() without checking the
destination size may trigger a buffer overflower.
Signed-off-by: Zhang Xiaohui
---
drivers/s390/crypto/pkey_api.c | 4
1 file changed, 4 insertions(+)
diff --git a/drivers/s390/crypto/pkey_api.c b/driver
From: Zhang Xiaohui
tcpm_queue_vdm() calls memcpy() without checking the destination
size may trigger a buffer overflower.
Signed-off-by: Zhang Xiaohui
---
drivers/usb/typec/tcpm/tcpm.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/drivers/usb/typec/tcpm/tcpm.c b/drivers/
From: Zhang Xiaohui
prep_ssp_v3_hw() calls memcpy() without checking the
destination size may trigger a buffer overflower, which a
local user could use to cause denial of service or the
execution of arbitrary code.
Fix it by putting the length check before calling memcpy().
Signed-off-by: Zhang
From: Zhang Xiaohui
mwifiex_uap_bss_param_prepare() calls memcpy() without checking
the destination size may trigger a buffer overflower,
which a local user could use to cause denial of service or the
execution of arbitrary code.
Fix it by putting the length check before calling memcpy().
Signed
From: Zhang Xiaohui
mwifiex_config_scan() calls memcpy() without checking
the destination size may trigger a buffer overflower,
which a local user could use to cause denial of service
or the execution of arbitrary code.
Fix it by putting the length check before calling memcpy().
Signed-off-by: Z
From: Zhang Xiaohui
storvsc_queuecommand() calls memcpy() without checking
the destination size may trigger a buffer overflower,
which a local user could use to cause denial of service
or the execution of arbitrary code.
Fix it by putting the length check before calling memcpy().
Signed-off-by:
From: Zhang Xiaohui
mwifiex_config_scan() calls memcpy() without checking
the destination size may trigger a buffer overflower,
which a local user could use to cause denial of service
or the execution of arbitrary code.
Fix it by putting the length check before calling memcpy().
Signed-off-by: Z
From: Zhang Xiaohui
mwifiex_uap_bss_param_prepare() calls memcpy() without checking
the destination size may trigger a buffer overflower,
which a local user could use to cause denial of service or the
execution of arbitrary code.
Fix it by putting the length check before calling memcpy().
Signed
From: Zhang Xiaohui
If the hardware receives an oversized packet with too many rx fragments,
skb_shinfo(skb)->frags can overflow and corrupt memory of adjacent pages.
This becomes especially visible if it corrupts the freelist pointer of
a slab page.
Signed-off-by: Zhang Xiaohui
---
drivers/ne
From: Zhang Xiaohui
If the hardware receives an oversized packet with too many rx fragments,
skb_shinfo(skb)->frags can overflow and corrupt memory of adjacent pages.
This becomes especially visible if it corrupts the freelist pointer of
a slab page.
Signed-off-by: Zhang Xiaohui
---
drivers/ne
From: Zhang Xiaohui
mwifiex_cmd_802_11_ad_hoc_start() calls memcpy() without checking
the destination size may trigger a buffer overflower,
which a local user could use to cause denial of service
or the execution of arbitrary code.
Fix it by putting the length check before calling memcpy().
Sign
From: Zhang Xiaohui
The fix makes sure no zero value in the buffer, by comparing the
strlen() of the original buffer with the size variable.
Signed-off-by: Zhang Xiaohui
---
drivers/target/target_core_iblock.c | 2 ++
1 file changed, 2 insertions(+)
diff --git a/drivers/target/target_core_ibl
13 matches
Mail list logo
