usb: gadget: rndis: prevent integer overflow in rndis_set_response() (56b38e3c) · Commits · Mirrors / github.com / raspberrypi_linux

Commit 56b38e3c authored Mar 01, 2022 by

Dan Carpenter Committed by Greg Kroah-Hartman Mar 23, 2022

usb: gadget: rndis: prevent integer overflow in rndis_set_response()

commit 65f3324f upstream.

If "BufOffset" is very large the "BufOffset + 8" operation can have an
integer overflow.

Cc: stable@kernel.org
Fixes: 38ea1eac

 ("usb: gadget: rndis: check size of RNDIS_MSG_SET command")
Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com>
Link: https://lore.kernel.org/r/20220301080424.GA17208@kili


Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

parent 222f5e2d

Hide whitespace changes

Inline Side-by-side

Please register or to comment