Re: [v2] wifi: rndis_wlan: Prevent buffer overflow in rndis_query_oid

From: Kalle Valo
Date: Mon Jan 16 2023 - 06:29:18 EST

Next message: Huang, Kai: "Re: [PATCH v11 035/113] KVM: x86/mmu: Allow per-VM override of the TDP max page level"
Previous message: Jing Zhang: "Re: [PATCH v7 1/9] perf pmu: Add #slots literal support for arm64"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

Szymon Heidrich <szymon.heidrich@xxxxxxxxx> wrote:

> Since resplen and respoffs are signed integers sufficiently
> large values of unsigned int len and offset members of RNDIS
> response will result in negative values of prior variables.
> This may be utilized to bypass implemented security checks
> to either extract memory contents by manipulating offset or
> overflow the data buffer via memcpy by manipulating both
> offset and len.
>
> Additionally assure that sum of resplen and respoffs does not
> overflow so buffer boundaries are kept.
>
> Fixes: 80f8c5b434f9 ("rndis_wlan: copy only useful data from rndis_command respond")
> Signed-off-by: Szymon Heidrich <szymon.heidrich@xxxxxxxxx>
> Reviewed-by: Alexander Duyck <alexanderduyck@xxxxxx>

Patch applied to wireless.git, thanks.

b870e73a56c4 wifi: rndis_wlan: Prevent buffer overflow in rndis_query_oid

--
https://patchwork.kernel.org/project/linux-wireless/patch/20230111175031.7049-1-szymon.heidrich@xxxxxxxxx/

https://wireless.wiki.kernel.org/en/developers/documentation/submittingpatches

Next message: Huang, Kai: "Re: [PATCH v11 035/113] KVM: x86/mmu: Allow per-VM override of the TDP max page level"
Previous message: Jing Zhang: "Re: [PATCH v7 1/9] perf pmu: Add #slots literal support for arm64"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]