diff options
author | Dan Carpenter <dan.carpenter@oracle.com> | 2022-03-01 11:04:24 +0300 |
---|---|---|
committer | Greg Kroah-Hartman <gregkh@linuxfoundation.org> | 2022-03-23 09:16:43 +0100 |
commit | 56b38e3ca4064041d93c1ca18828c8cedad2e16c (patch) | |
tree | c80c0bb1617f05d0e8583cbd320452e46ccb8fc4 | |
parent | 222f5e2d7f20a8852a4f79efb353b9f8adadfa1c (diff) | |
download | linux-rt-56b38e3ca4064041d93c1ca18828c8cedad2e16c.tar.gz |
usb: gadget: rndis: prevent integer overflow in rndis_set_response()
commit 65f3324f4b6fed78b8761c3b74615ecf0ffa81fa upstream.
If "BufOffset" is very large the "BufOffset + 8" operation can have an
integer overflow.
Cc: stable@kernel.org
Fixes: 38ea1eac7d88 ("usb: gadget: rndis: check size of RNDIS_MSG_SET command")
Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com>
Link: https://lore.kernel.org/r/20220301080424.GA17208@kili
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
-rw-r--r-- | drivers/usb/gadget/function/rndis.c | 1 |
1 files changed, 1 insertions, 0 deletions
diff --git a/drivers/usb/gadget/function/rndis.c b/drivers/usb/gadget/function/rndis.c index 0f14c5291af0..4150de96b937 100644 --- a/drivers/usb/gadget/function/rndis.c +++ b/drivers/usb/gadget/function/rndis.c @@ -640,6 +640,7 @@ static int rndis_set_response(struct rndis_params *params, BufLength = le32_to_cpu(buf->InformationBufferLength); BufOffset = le32_to_cpu(buf->InformationBufferOffset); if ((BufLength > RNDIS_MAX_TOTAL_SIZE) || + (BufOffset > RNDIS_MAX_TOTAL_SIZE) || (BufOffset + 8 >= RNDIS_MAX_TOTAL_SIZE)) return -EINVAL; |