Szymon, On Thu, Nov 17, 2022 at 4:46 PM Szymon Heidrich <szymon.heidr...@gmail.com> wrote: > > Prevent access to arbitrary memory locations in gen_ndis_set_resp > via manipulation of buf->InformationBufferOffset. Lack of validation > of BufOffset could be exploited to dump arbitrary memory contents > via NDIS packet filter. > > Signed-off-by: Szymon Heidrich <szymon.heidr...@gmail.com>
Please run ./scripts/get_maintainer.pl on your patch and copy the maintainers. > --- > drivers/usb/gadget/rndis.c | 9 ++++++--- > 1 file changed, 6 insertions(+), 3 deletions(-) > > diff --git a/drivers/usb/gadget/rndis.c b/drivers/usb/gadget/rndis.c > index 13c327ea38..3948f2cc9a 100644 > --- a/drivers/usb/gadget/rndis.c > +++ b/drivers/usb/gadget/rndis.c > @@ -855,14 +855,17 @@ static int rndis_set_response(int configNr, > rndis_set_msg_type *buf) > rndis_set_cmplt_type *resp; > rndis_resp_t *r; > > + BufLength = get_unaligned_le32(&buf->InformationBufferLength); > + BufOffset = get_unaligned_le32(&buf->InformationBufferOffset); > + if ((BufOffset > RNDIS_MAX_TOTAL_SIZE - 8) || > + (BufLength > RNDIS_MAX_TOTAL_SIZE - 8 - BufOffset)) > + return -EINVAL; > + > r = rndis_add_response(configNr, sizeof(rndis_set_cmplt_type)); > if (!r) > return -ENOMEM; > resp = (rndis_set_cmplt_type *) r->buf; > > - BufLength = get_unaligned_le32(&buf->InformationBufferLength); > - BufOffset = get_unaligned_le32(&buf->InformationBufferOffset); > - > #ifdef VERBOSE > debug("%s: Length: %d\n", __func__, BufLength); > debug("%s: Offset: %d\n", __func__, BufOffset); > -- > 2.38.1 >