usb: rndis_host: Secure rndis_query check against int overflow - kernel

diff options

author	Szymon Heidrich <[email protected]>	2023-01-03 09:17:09 +0000
committer	David S. Miller <[email protected]>	2023-01-03 09:24:41 +0000
commit	c7dd13805f8b8fc1ce3b6d40f6aff47e66b72ad2 (patch)
tree	a262f5859ecf01608d6af5f44328bbe3f2b35a72 /tools/testing/selftests/bpf/prog_tests/bpf_iter.c
parent	net: dpaa: Fix dtsec check for PCS availability (diff)
download	kernel-c7dd13805f8b8fc1ce3b6d40f6aff47e66b72ad2.tar.gz kernel-c7dd13805f8b8fc1ce3b6d40f6aff47e66b72ad2.zip

usb: rndis_host: Secure rndis_query check against int overflow

Variables off and len typed as uint32 in rndis_query function are controlled by incoming RNDIS response message thus their value may be manipulated. Setting off to a unexpectetly large value will cause the sum with len and 8 to overflow and pass the implemented validation step. Consequently the response pointer will be referring to a location past the expected buffer boundaries allowing information leakage e.g. via RNDIS_OID_802_3_PERMANENT_ADDRESS OID. Fixes: ddda08624013 ("USB: rndis_host, various cleanups") Signed-off-by: Szymon Heidrich <[email protected]> Signed-off-by: David S. Miller <[email protected]>

Diffstat (limited to 'tools/testing/selftests/bpf/prog_tests/bpf_iter.c')

0 files changed, 0 insertions, 0 deletions


context:
space:
mode: