From: Greg Kroah-Hartman <gregkh@xxxxxxxxxxxxxxxxxxx>
commit 38ea1eac7d88072bbffb630e2b3db83ca649b826 upstream.
Check the size of the RNDIS_MSG_SET command given to us before
attempting to respond to an invalid message size.
Reported-by: Szymon Heidrich <szymon.heidrich@xxxxxxxxx>
Cc: stable@xxxxxxxxxx
Tested-by: Szymon Heidrich <szymon.heidrich@xxxxxxxxx>
Signed-off-by: Greg Kroah-Hartman <gregkh@xxxxxxxxxxxxxxxxxxx>
---
drivers/usb/gadget/function/rndis.c | 9 ++++++---
1 file changed, 6 insertions(+), 3 deletions(-)
--- a/drivers/usb/gadget/function/rndis.c
+++ b/drivers/usb/gadget/function/rndis.c
@@ -642,14 +642,17 @@ static int rndis_set_response(struct rnd
rndis_set_cmplt_type *resp;
rndis_resp_t *r;
+ BufLength = le32_to_cpu(buf->InformationBufferLength);
+ BufOffset = le32_to_cpu(buf->InformationBufferOffset);
+ if ((BufLength > RNDIS_MAX_TOTAL_SIZE) ||
+ (BufOffset + 8 >= RNDIS_MAX_TOTAL_SIZE))
+ return -EINVAL;
+
r = rndis_add_response(params, sizeof(rndis_set_cmplt_type));
if (!r)
return -ENOMEM;
resp = (rndis_set_cmplt_type *)r->buf;
- BufLength = le32_to_cpu(buf->InformationBufferLength);
- BufOffset = le32_to_cpu(buf->InformationBufferOffset);
-
#ifdef VERBOSE_DEBUG
pr_debug("%s: Length: %d\n", __func__, BufLength);
pr_debug("%s: Offset: %d\n", __func__, BufOffset);
Patches currently in stable-queue which might be from gregkh@xxxxxxxxxxxxxxxxxxx are
queue-4.9/usb-gadget-rndis-check-size-of-rndis_msg_set-command.patch
queue-4.9/input-i8042-fix-misplaced-backport-of-add-asus-zenbook-flip-to-noselftest-list.patch
queue-4.9/nfsd-clamp-write-offsets.patch
queue-4.9/usb-serial-option-add-zte-mf286d-modem.patch
queue-4.9/usb-serial-cp210x-add-ncr-retail-io-box-id.patch
queue-4.9/vt_ioctl-add-array_index_nospec-to-vt_activate.patch
queue-4.9/usb-gadget-validate-interface-os-descriptor-requests.patch
queue-4.9/serial-sh-sci-fix-misplaced-backport-of-fix-late-enablement-of-autorts.patch
queue-4.9/revert-net-axienet-wait-for-phyrstcmplt-after-core-reset.patch
queue-4.9/vt_ioctl-fix-array_index_nospec-in-vt_setactivate.patch
queue-4.9/staging-fbtft-fix-error-path-in-fbtft_driver_module_.patch
queue-4.9/usb-serial-ch341-add-support-for-gw-instek-usb2.0-serial-devices.patch
queue-4.9/usb-serial-ftdi_sio-add-support-for-brainboxes-us-159-235-320.patch
queue-4.9/usb-serial-cp210x-add-cpi-bulk-coin-recycler-id.patch
queue-4.9/usb-dwc3-gadget-prevent-core-from-processing-stale-trbs.patch
queue-4.9/integrity-check-the-return-value-of-audit_log_start.patch
queue-4.9/nfs-fix-initialisation-of-nfs_client-cl_flags-field.patch
queue-4.9/arm-dts-imx23-evk-remove-mx23_pad_ssp1_detect-from-hog-group.patch
queue-4.9/usb-dwc2-gadget-don-t-try-to-disable-ep0-in-dwc2_hso.patch
queue-4.9/n_tty-wake-up-poll-pollrdnorm-on-receiving-data.patch
queue-4.9/ima-remove-ima_policy-file-before-directory.patch
queue-4.9/alsa-line6-fix-misplaced-backport-of-fix-wrong-altsetting-for-line6_podhd500_1.patch
queue-4.9/bpf-add-kconfig-knob-for-disabling-unpriv-bpf-by-default.patch
queue-4.9/hwmon-dell-smm-speed-up-setting-of-fan-speed.patch
