| From 65f3324f4b6fed78b8761c3b74615ecf0ffa81fa Mon Sep 17 00:00:00 2001 |
| From: Dan Carpenter <dan.carpenter@oracle.com> |
| Date: Tue, 1 Mar 2022 11:04:24 +0300 |
| Subject: usb: gadget: rndis: prevent integer overflow in rndis_set_response() |
| |
| From: Dan Carpenter <dan.carpenter@oracle.com> |
| |
| commit 65f3324f4b6fed78b8761c3b74615ecf0ffa81fa upstream. |
| |
| If "BufOffset" is very large the "BufOffset + 8" operation can have an |
| integer overflow. |
| |
| Cc: stable@kernel.org |
| Fixes: 38ea1eac7d88 ("usb: gadget: rndis: check size of RNDIS_MSG_SET command") |
| Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com> |
| Link: https://lore.kernel.org/r/20220301080424.GA17208@kili |
| Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> |
| --- |
| drivers/usb/gadget/function/rndis.c | 1 + |
| 1 file changed, 1 insertion(+) |
| |
| --- a/drivers/usb/gadget/function/rndis.c |
| +++ b/drivers/usb/gadget/function/rndis.c |
| @@ -640,6 +640,7 @@ static int rndis_set_response(struct rnd |
| BufLength = le32_to_cpu(buf->InformationBufferLength); |
| BufOffset = le32_to_cpu(buf->InformationBufferOffset); |
| if ((BufLength > RNDIS_MAX_TOTAL_SIZE) || |
| + (BufOffset > RNDIS_MAX_TOTAL_SIZE) || |
| (BufOffset + 8 >= RNDIS_MAX_TOTAL_SIZE)) |
| return -EINVAL; |
| |