wifi: rndis_wlan: Prevent buffer overflow in rndis_query_oid (b870e73a) · Commits · Mirrors / git.kernel.org / pub_scm_linux_kernel_git_stable_linux · GitLab

Commit b870e73a authored Jan 11, 2023 by

Szymon Heidrich Committed by Kalle Valo Jan 16, 2023

wifi: rndis_wlan: Prevent buffer overflow in rndis_query_oid

Since resplen and respoffs are signed integers sufficiently
large values of unsigned int len and offset members of RNDIS
response will result in negative values of prior variables.
This may be utilized to bypass implemented security checks
to either extract memory contents by manipulating offset or
overflow the data buffer via memcpy by manipulating both
offset and len.

Additionally assure that sum of resplen and respoffs does not
overflow so buffer boundaries are kept.

Fixes: 80f8c5b4

 ("rndis_wlan: copy only useful data from rndis_command respond")
Signed-off-by: Szymon Heidrich <szymon.heidrich@gmail.com>
Reviewed-by: Alexander Duyck <alexanderduyck@fb.com>
Signed-off-by: Kalle Valo <kvalo@kernel.org>
Link: https://lore.kernel.org/r/20230111175031.7049-1-szymon.heidrich@gmail.com

parent ed05cb17

Hide whitespace changes

Inline Side-by-side

mirror @mirror
mentioned in commit 8a97563b
· Feb 07, 2023

mentioned in commit 8a97563b

mentioned in commit 8a97563bf04358f035a0b98142ae48f1ef095b61

Toggle commit list
mirror @mirror
mentioned in commit b4cc9d7a
· Feb 07, 2023

mentioned in commit b4cc9d7a

mentioned in commit b4cc9d7ae9bed976de5463958afea2983b4ca57f

Toggle commit list

Please register or to comment