wifi: rndis_wlan: Prevent buffer overflow in rndis_query_oid - Linux

diff options

author	Szymon Heidrich <szymon.heidrich@gmail.com>	2023-01-11 18:50:31 +0100
committer	Kalle Valo <kvalo@kernel.org>	2023-01-16 13:27:54 +0200
commit	b870e73a56c4cccbec33224233eaf295839f228c (patch)
tree	07c8c0d5b5e469ac39ba83a24407ee063214ecab /include/linux/compiler-gcc.h
parent	ed05cb177ae5cd7f02f1d6e7706ba627d30f1696 (diff)
download	linux-b870e73a56c4cccbec33224233eaf295839f228c.tar.gz linux-b870e73a56c4cccbec33224233eaf295839f228c.tar.bz2 linux-b870e73a56c4cccbec33224233eaf295839f228c.zip

wifi: rndis_wlan: Prevent buffer overflow in rndis_query_oid

Since resplen and respoffs are signed integers sufficiently large values of unsigned int len and offset members of RNDIS response will result in negative values of prior variables. This may be utilized to bypass implemented security checks to either extract memory contents by manipulating offset or overflow the data buffer via memcpy by manipulating both offset and len. Additionally assure that sum of resplen and respoffs does not overflow so buffer boundaries are kept. Fixes: 80f8c5b434f9 ("rndis_wlan: copy only useful data from rndis_command respond") Signed-off-by: Szymon Heidrich <szymon.heidrich@gmail.com> Reviewed-by: Alexander Duyck <alexanderduyck@fb.com> Signed-off-by: Kalle Valo <kvalo@kernel.org> Link: https://lore.kernel.org/r/20230111175031.7049-1-szymon.heidrich@gmail.com

Diffstat (limited to 'include/linux/compiler-gcc.h')

0 files changed, 0 insertions, 0 deletions


context:
space:
mode: