Commit 9f938618 authored Mar 01, 2022 by Dan Carpenter Committed by Greg Kroah-Hartman Mar 20, 2022

UPSTREAM: usb: gadget: rndis: prevent integer overflow in rndis_set_response()



If "BufOffset" is very large the "BufOffset + 8" operation can have an
integer overflow.

Bug: 213172319
Cc: stable@kernel.org
Fixes: 38ea1eac7d88 ("usb: gadget: rndis: check size of RNDIS_MSG_SET command")
Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com>
Link: https://lore.kernel.org/r/20220301080424.GA17208@kili


Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
(cherry picked from commit 65f3324f4b6fed78b8761c3b74615ecf0ffa81fa)
Signed-off-by: Greg Kroah-Hartman <gregkh@google.com>
Change-Id: I16c7c6c5a0a3a0102d1c6c9ddfca2a1ad1106880

parent 09809e2b

drivers/usb/gadget/function/rndis.c

+1 −0

Original line number	Diff line number	Diff line
		@@ -640,6 +640,7 @@ static int rndis_set_response(struct rndis_params *params,
		BufLength = le32_to_cpu(buf->InformationBufferLength);
		BufOffset = le32_to_cpu(buf->InformationBufferOffset);
		if ((BufLength > RNDIS_MAX_TOTAL_SIZE) \|\|
		(BufOffset > RNDIS_MAX_TOTAL_SIZE) \|\|
		(BufOffset + 8 >= RNDIS_MAX_TOTAL_SIZE))
		return -EINVAL;