usb: rndis_host: Secure rndis_query check against int overflow - linux - Linux Kernel (branches are rebased on master from time to time)

diff options

author	Szymon Heidrich <szymon.heidrich@gmail.com>	2023-01-03 10:17:09 +0100
committer	David S. Miller <davem@davemloft.net>	2023-01-03 09:24:41 +0000
commit	c7dd13805f8b8fc1ce3b6d40f6aff47e66b72ad2 (patch)
tree	a262f5859ecf01608d6af5f44328bbe3f2b35a72 /MAINTAINERS
parent	7dc61838541928895abae6d2355258e02a251bba (diff)
download	linux-c7dd13805f8b8fc1ce3b6d40f6aff47e66b72ad2.tar.bz2

usb: rndis_host: Secure rndis_query check against int overflow

Variables off and len typed as uint32 in rndis_query function are controlled by incoming RNDIS response message thus their value may be manipulated. Setting off to a unexpectetly large value will cause the sum with len and 8 to overflow and pass the implemented validation step. Consequently the response pointer will be referring to a location past the expected buffer boundaries allowing information leakage e.g. via RNDIS_OID_802_3_PERMANENT_ADDRESS OID. Fixes: ddda08624013 ("USB: rndis_host, various cleanups") Signed-off-by: Szymon Heidrich <szymon.heidrich@gmail.com> Signed-off-by: David S. Miller <davem@davemloft.net>

Diffstat (limited to 'MAINTAINERS')

0 files changed, 0 insertions, 0 deletions


context:
space:
mode: