Donate to e Foundation | Murena handsets with /e/OS | Own a part of Murena! Learn more

Commit fbcfd190 authored by Ignat Korchagin's avatar Ignat Korchagin Committed by Gerrit - the friendly Code Review server
Browse files

USB: usbip: fix potential out-of-bounds write 



Fix potential out-of-bounds write to urb->transfer_buffer
usbip handles network communication directly in the kernel. When receiving a
packet from its peer, usbip code parses headers according to protocol. As
part of this parsing urb->actual_length is filled. Since the input for
urb->actual_length comes from the network, it should be treated as untrusted.
Any entity controlling the network may put any value in the input and the
preallocated urb->transfer_buffer may not be large enough to hold the data.
Thus, the malicious entity is able to write arbitrary data to kernel memory.

Signed-off-by: default avatarIgnat Korchagin <ignat.korchagin@gmail.com>
Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
(cherry picked from commit b348d7dddb6c4fbfc810b7a0626e8ec9e29f7cbb)

Change-Id: I402ca8adef71745a85ba2c51945b99d46509c06e
Signed-off-by: default avatarAkshaya <akshayab@codeaurora.org>
parent 5619e3ed
Show whitespace changes
Inline Side-by-side
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Please register or to comment