* [PATCH] Enforce buffer boundaries on RNDIS USB Gadget
@ 2022-11-17 19:44 Szymon Heidrich
2022-11-20 15:02 ` Fabio Estevam
0 siblings, 1 reply; 9+ messages in thread
From: Szymon Heidrich @ 2022-11-17 19:44 UTC (permalink / raw)
To: u-boot; +Cc: Szymon Heidrich
Prevent access to arbitrary memory locations in gen_ndis_set_resp
via manipulation of buf->InformationBufferOffset. Lack of validation
of BufOffset could be exploited to dump arbitrary memory contents
via NDIS packet filter.
Signed-off-by: Szymon Heidrich <szymon.heidrich@gmail.com>
---
drivers/usb/gadget/rndis.c | 9 ++++++---
1 file changed, 6 insertions(+), 3 deletions(-)
diff --git a/drivers/usb/gadget/rndis.c b/drivers/usb/gadget/rndis.c
index 13c327ea38..3948f2cc9a 100644
--- a/drivers/usb/gadget/rndis.c
+++ b/drivers/usb/gadget/rndis.c
@@ -855,14 +855,17 @@ static int rndis_set_response(int configNr, rndis_set_msg_type *buf)
rndis_set_cmplt_type *resp;
rndis_resp_t *r;
+ BufLength = get_unaligned_le32(&buf->InformationBufferLength);
+ BufOffset = get_unaligned_le32(&buf->InformationBufferOffset);
+ if ((BufOffset > RNDIS_MAX_TOTAL_SIZE - 8) ||
+ (BufLength > RNDIS_MAX_TOTAL_SIZE - 8 - BufOffset))
+ return -EINVAL;
+
r = rndis_add_response(configNr, sizeof(rndis_set_cmplt_type));
if (!r)
return -ENOMEM;
resp = (rndis_set_cmplt_type *) r->buf;
- BufLength = get_unaligned_le32(&buf->InformationBufferLength);
- BufOffset = get_unaligned_le32(&buf->InformationBufferOffset);
-
#ifdef VERBOSE
debug("%s: Length: %d\n", __func__, BufLength);
debug("%s: Offset: %d\n", __func__, BufOffset);
--
2.38.1
^ permalink raw reply related [flat|nested] 9+ messages in thread
* Re: [PATCH] Enforce buffer boundaries on RNDIS USB Gadget
2022-11-17 19:44 [PATCH] Enforce buffer boundaries on RNDIS USB Gadget Szymon Heidrich
@ 2022-11-20 15:02 ` Fabio Estevam
2022-12-03 14:59 ` Szymon Heidrich
0 siblings, 1 reply; 9+ messages in thread
From: Fabio Estevam @ 2022-11-20 15:02 UTC (permalink / raw)
To: Szymon Heidrich, Lukasz Majewski, Marek Vasut; +Cc: u-boot
Szymon,
On Thu, Nov 17, 2022 at 4:46 PM Szymon Heidrich
<szymon.heidrich@gmail.com> wrote:
>
> Prevent access to arbitrary memory locations in gen_ndis_set_resp
> via manipulation of buf->InformationBufferOffset. Lack of validation
> of BufOffset could be exploited to dump arbitrary memory contents
> via NDIS packet filter.
>
> Signed-off-by: Szymon Heidrich <szymon.heidrich@gmail.com>
Please run ./scripts/get_maintainer.pl on your patch and copy the maintainers.
> ---
> drivers/usb/gadget/rndis.c | 9 ++++++---
> 1 file changed, 6 insertions(+), 3 deletions(-)
>
> diff --git a/drivers/usb/gadget/rndis.c b/drivers/usb/gadget/rndis.c
> index 13c327ea38..3948f2cc9a 100644
> --- a/drivers/usb/gadget/rndis.c
> +++ b/drivers/usb/gadget/rndis.c
> @@ -855,14 +855,17 @@ static int rndis_set_response(int configNr, rndis_set_msg_type *buf)
> rndis_set_cmplt_type *resp;
> rndis_resp_t *r;
>
> + BufLength = get_unaligned_le32(&buf->InformationBufferLength);
> + BufOffset = get_unaligned_le32(&buf->InformationBufferOffset);
> + if ((BufOffset > RNDIS_MAX_TOTAL_SIZE - 8) ||
> + (BufLength > RNDIS_MAX_TOTAL_SIZE - 8 - BufOffset))
> + return -EINVAL;
> +
> r = rndis_add_response(configNr, sizeof(rndis_set_cmplt_type));
> if (!r)
> return -ENOMEM;
> resp = (rndis_set_cmplt_type *) r->buf;
>
> - BufLength = get_unaligned_le32(&buf->InformationBufferLength);
> - BufOffset = get_unaligned_le32(&buf->InformationBufferOffset);
> -
> #ifdef VERBOSE
> debug("%s: Length: %d\n", __func__, BufLength);
> debug("%s: Offset: %d\n", __func__, BufOffset);
> --
> 2.38.1
>
^ permalink raw reply [flat|nested] 9+ messages in thread
* Re: [PATCH] Enforce buffer boundaries on RNDIS USB Gadget
2022-11-20 15:02 ` Fabio Estevam
@ 2022-12-03 14:59 ` Szymon Heidrich
2022-12-04 19:12 ` Marek Vasut
0 siblings, 1 reply; 9+ messages in thread
From: Szymon Heidrich @ 2022-12-03 14:59 UTC (permalink / raw)
To: Fabio Estevam, Lukasz Majewski, Marek Vasut; +Cc: u-boot
On 20/11/2022 16:02, Fabio Estevam wrote:
> Szymon,
>
> On Thu, Nov 17, 2022 at 4:46 PM Szymon Heidrich
> <szymon.heidrich@gmail.com> wrote:
>>
>> Prevent access to arbitrary memory locations in gen_ndis_set_resp
>> via manipulation of buf->InformationBufferOffset. Lack of validation
>> of BufOffset could be exploited to dump arbitrary memory contents
>> via NDIS packet filter.
>>
>> Signed-off-by: Szymon Heidrich <szymon.heidrich@gmail.com>
>
> Please run ./scripts/get_maintainer.pl on your patch and copy the maintainers.
>
Hello Fabio,
Sorry I missed adding Lukasz and Marek - I'll keep that in mind for future.
Is there anything else missing from my side?
Best regards,
Szymon
>
>> ---
>> drivers/usb/gadget/rndis.c | 9 ++++++---
>> 1 file changed, 6 insertions(+), 3 deletions(-)
>>
>> diff --git a/drivers/usb/gadget/rndis.c b/drivers/usb/gadget/rndis.c
>> index 13c327ea38..3948f2cc9a 100644
>> --- a/drivers/usb/gadget/rndis.c
>> +++ b/drivers/usb/gadget/rndis.c
>> @@ -855,14 +855,17 @@ static int rndis_set_response(int configNr, rndis_set_msg_type *buf)
>> rndis_set_cmplt_type *resp;
>> rndis_resp_t *r;
>>
>> + BufLength = get_unaligned_le32(&buf->InformationBufferLength);
>> + BufOffset = get_unaligned_le32(&buf->InformationBufferOffset);
>> + if ((BufOffset > RNDIS_MAX_TOTAL_SIZE - 8) ||
>> + (BufLength > RNDIS_MAX_TOTAL_SIZE - 8 - BufOffset))
>> + return -EINVAL;
>> +
>> r = rndis_add_response(configNr, sizeof(rndis_set_cmplt_type));
>> if (!r)
>> return -ENOMEM;
>> resp = (rndis_set_cmplt_type *) r->buf;
>>
>> - BufLength = get_unaligned_le32(&buf->InformationBufferLength);
>> - BufOffset = get_unaligned_le32(&buf->InformationBufferOffset);
>> -
>> #ifdef VERBOSE
>> debug("%s: Length: %d\n", __func__, BufLength);
>> debug("%s: Offset: %d\n", __func__, BufOffset);
>> --
>> 2.38.1
>>
^ permalink raw reply [flat|nested] 9+ messages in thread
* Re: [PATCH] Enforce buffer boundaries on RNDIS USB Gadget
2022-12-03 14:59 ` Szymon Heidrich
@ 2022-12-04 19:12 ` Marek Vasut
2022-12-04 20:36 ` Szymon Heidrich
0 siblings, 1 reply; 9+ messages in thread
From: Marek Vasut @ 2022-12-04 19:12 UTC (permalink / raw)
To: Szymon Heidrich, Fabio Estevam, Lukasz Majewski; +Cc: u-boot
On 12/3/22 15:59, Szymon Heidrich wrote:
> On 20/11/2022 16:02, Fabio Estevam wrote:
>> Szymon,
>>
>> On Thu, Nov 17, 2022 at 4:46 PM Szymon Heidrich
>> <szymon.heidrich@gmail.com> wrote:
>>>
>>> Prevent access to arbitrary memory locations in gen_ndis_set_resp
>>> via manipulation of buf->InformationBufferOffset. Lack of validation
>>> of BufOffset could be exploited to dump arbitrary memory contents
>>> via NDIS packet filter.
>>>
>>> Signed-off-by: Szymon Heidrich <szymon.heidrich@gmail.com>
>>
>> Please run ./scripts/get_maintainer.pl on your patch and copy the maintainers.
>>
>
> Hello Fabio,
>
> Sorry I missed adding Lukasz and Marek - I'll keep that in mind for future.
>
> Is there anything else missing from my side?
There have been various security fixes recently which broke other
things, so I am being careful now.
>>> diff --git a/drivers/usb/gadget/rndis.c b/drivers/usb/gadget/rndis.c
>>> index 13c327ea38..3948f2cc9a 100644
>>> --- a/drivers/usb/gadget/rndis.c
>>> +++ b/drivers/usb/gadget/rndis.c
>>> @@ -855,14 +855,17 @@ static int rndis_set_response(int configNr, rndis_set_msg_type *buf)
>>> rndis_set_cmplt_type *resp;
>>> rndis_resp_t *r;
>>>
>>> + BufLength = get_unaligned_le32(&buf->InformationBufferLength);
>>> + BufOffset = get_unaligned_le32(&buf->InformationBufferOffset);
>>> + if ((BufOffset > RNDIS_MAX_TOTAL_SIZE - 8) ||
>>> + (BufLength > RNDIS_MAX_TOTAL_SIZE - 8 - BufOffset))
>>> + return -EINVAL;
>>> +
>>> r = rndis_add_response(configNr, sizeof(rndis_set_cmplt_type));
>>> if (!r)
>>> return -ENOMEM;
>>> resp = (rndis_set_cmplt_type *) r->buf;
>>>
>>> - BufLength = get_unaligned_le32(&buf->InformationBufferLength);
>>> - BufOffset = get_unaligned_le32(&buf->InformationBufferOffset);
>>> -
Reading through the RNDIS code, do you think the rndis_query_response
and others which use buffer/offset data from the message should also be
sanitized the same way ? I can imagine the query can be used to do test
for 1bit of data all over the memory too.
^ permalink raw reply [flat|nested] 9+ messages in thread
* Re: [PATCH] Enforce buffer boundaries on RNDIS USB Gadget
2022-12-04 19:12 ` Marek Vasut
@ 2022-12-04 20:36 ` Szymon Heidrich
2022-12-05 0:41 ` Marek Vasut
0 siblings, 1 reply; 9+ messages in thread
From: Szymon Heidrich @ 2022-12-04 20:36 UTC (permalink / raw)
To: Marek Vasut, Fabio Estevam, Lukasz Majewski; +Cc: u-boot
On 04/12/2022 20:12, Marek Vasut wrote:
> On 12/3/22 15:59, Szymon Heidrich wrote:
>> On 20/11/2022 16:02, Fabio Estevam wrote:
>>> Szymon,
>>>
>>> On Thu, Nov 17, 2022 at 4:46 PM Szymon Heidrich
>>> <szymon.heidrich@gmail.com> wrote:
>>>>
>>>> Prevent access to arbitrary memory locations in gen_ndis_set_resp
>>>> via manipulation of buf->InformationBufferOffset. Lack of validation
>>>> of BufOffset could be exploited to dump arbitrary memory contents
>>>> via NDIS packet filter.
>>>>
>>>> Signed-off-by: Szymon Heidrich <szymon.heidrich@gmail.com>
>>>
>>> Please run ./scripts/get_maintainer.pl on your patch and copy the maintainers.
>>>
>>
>> Hello Fabio,
>>
>> Sorry I missed adding Lukasz and Marek - I'll keep that in mind for future.
>>
>> Is there anything else missing from my side?
>
> There have been various security fixes recently which broke other things, so I am being careful now.
>
Sure, I completely understand that.
Thank you for your time and review.
>>>> diff --git a/drivers/usb/gadget/rndis.c b/drivers/usb/gadget/rndis.c
>>>> index 13c327ea38..3948f2cc9a 100644
>>>> --- a/drivers/usb/gadget/rndis.c
>>>> +++ b/drivers/usb/gadget/rndis.c
>>>> @@ -855,14 +855,17 @@ static int rndis_set_response(int configNr, rndis_set_msg_type *buf)
>>>> rndis_set_cmplt_type *resp;
>>>> rndis_resp_t *r;
>>>>
>>>> + BufLength = get_unaligned_le32(&buf->InformationBufferLength);
>>>> + BufOffset = get_unaligned_le32(&buf->InformationBufferOffset);
>>>> + if ((BufOffset > RNDIS_MAX_TOTAL_SIZE - 8) ||
>>>> + (BufLength > RNDIS_MAX_TOTAL_SIZE - 8 - BufOffset))
>>>> + return -EINVAL;
>>>> +
>>>> r = rndis_add_response(configNr, sizeof(rndis_set_cmplt_type));
>>>> if (!r)
>>>> return -ENOMEM;
>>>> resp = (rndis_set_cmplt_type *) r->buf;
>>>>
>>>> - BufLength = get_unaligned_le32(&buf->InformationBufferLength);
>>>> - BufOffset = get_unaligned_le32(&buf->InformationBufferOffset);
>>>> -
>
> Reading through the RNDIS code, do you think the rndis_query_response and others which use buffer/offset data from the message should also be sanitized the same way ? I can imagine the query can be used to do test for 1bit of data all over the memory too.
I added the extra validation in rndis_set_response as with the current implementation
it is possible to manipulate InformationBufferOffset to exploit OID_GEN_CURRENT_PACKET_FILTER
to set arbitrary memory contents within a 32byte offset as the devices packet filter.
This value may be next retrieved using gen_ndis_query_resp so one may extract specific memory
regions two bytes a time.
As for rndis_query_response I didn't touch it as the buffer offset and length passed to gen_ndis_query_resp
are not used. Please let me know in case I'm missing something.
^ permalink raw reply [flat|nested] 9+ messages in thread
* Re: [PATCH] Enforce buffer boundaries on RNDIS USB Gadget
2022-12-04 20:36 ` Szymon Heidrich
@ 2022-12-05 0:41 ` Marek Vasut
2022-12-05 9:28 ` [PATCH v2] usb: gadget: rndis: Prevent InformationBufferOffset manipulation Szymon Heidrich
0 siblings, 1 reply; 9+ messages in thread
From: Marek Vasut @ 2022-12-05 0:41 UTC (permalink / raw)
To: Szymon Heidrich, Fabio Estevam, Lukasz Majewski; +Cc: u-boot
On 12/4/22 21:36, Szymon Heidrich wrote:
Hi,
sorry for the delays.
>>>>> diff --git a/drivers/usb/gadget/rndis.c b/drivers/usb/gadget/rndis.c
>>>>> index 13c327ea38..3948f2cc9a 100644
>>>>> --- a/drivers/usb/gadget/rndis.c
>>>>> +++ b/drivers/usb/gadget/rndis.c
>>>>> @@ -855,14 +855,17 @@ static int rndis_set_response(int configNr, rndis_set_msg_type *buf)
>>>>> rndis_set_cmplt_type *resp;
>>>>> rndis_resp_t *r;
>>>>>
>>>>> + BufLength = get_unaligned_le32(&buf->InformationBufferLength);
>>>>> + BufOffset = get_unaligned_le32(&buf->InformationBufferOffset);
>>>>> + if ((BufOffset > RNDIS_MAX_TOTAL_SIZE - 8) ||
>>>>> + (BufLength > RNDIS_MAX_TOTAL_SIZE - 8 - BufOffset))
>>>>> + return -EINVAL;
>>>>> +
>>>>> r = rndis_add_response(configNr, sizeof(rndis_set_cmplt_type));
>>>>> if (!r)
>>>>> return -ENOMEM;
>>>>> resp = (rndis_set_cmplt_type *) r->buf;
>>>>>
>>>>> - BufLength = get_unaligned_le32(&buf->InformationBufferLength);
>>>>> - BufOffset = get_unaligned_le32(&buf->InformationBufferOffset);
>>>>> -
>>
>> Reading through the RNDIS code, do you think the rndis_query_response and others which use buffer/offset data from the message should also be sanitized the same way ? I can imagine the query can be used to do test for 1bit of data all over the memory too.
>
>
> I added the extra validation in rndis_set_response as with the current implementation
> it is possible to manipulate InformationBufferOffset to exploit OID_GEN_CURRENT_PACKET_FILTER
> to set arbitrary memory contents within a 32byte offset as the devices packet filter.
> This value may be next retrieved using gen_ndis_query_resp so one may extract specific memory
> regions two bytes a time.
I see, can you please add that ^ explanation into the commit message and
send V2 ? I'll pick it into the current MR.
Thanks
> As for rndis_query_response I didn't touch it as the buffer offset and length passed to gen_ndis_query_resp
> are not used. Please let me know in case I'm missing something.
[...]
^ permalink raw reply [flat|nested] 9+ messages in thread
* [PATCH v2] usb: gadget: rndis: Prevent InformationBufferOffset manipulation
2022-12-05 0:41 ` Marek Vasut
@ 2022-12-05 9:28 ` Szymon Heidrich
2022-12-09 1:56 ` Marek Vasut
0 siblings, 1 reply; 9+ messages in thread
From: Szymon Heidrich @ 2022-12-05 9:28 UTC (permalink / raw)
To: marex, festevam, lukma; +Cc: szymon.heidrich, u-boot
Prevent access to arbitrary memory locations in gen_ndis_set_resp
via manipulation of buf->InformationBufferOffset. Original
implementation permits manipulation of InformationBufferOffset to
exploit OID_GEN_CURRENT_PACKET_FILTER to set arbitrary memory contents
within a 32byte offset as the devices packet filter. The packet filter
value may be next retrieved using gen_ndis_query_resp so it is possible
to extract specific memory regions two bytes a time.
The rndis_query_response was not modified as neither the buffer offset
nor length passed to gen_ndis_query_resp is used.
Signed-off-by: Szymon Heidrich <szymon.heidrich@gmail.com>
---
V1 -> V2: Updated commit message
drivers/usb/gadget/rndis.c | 9 ++++++---
1 file changed, 6 insertions(+), 3 deletions(-)
diff --git a/drivers/usb/gadget/rndis.c b/drivers/usb/gadget/rndis.c
index 13c327ea38..3948f2cc9a 100644
--- a/drivers/usb/gadget/rndis.c
+++ b/drivers/usb/gadget/rndis.c
@@ -855,14 +855,17 @@ static int rndis_set_response(int configNr, rndis_set_msg_type *buf)
rndis_set_cmplt_type *resp;
rndis_resp_t *r;
+ BufLength = get_unaligned_le32(&buf->InformationBufferLength);
+ BufOffset = get_unaligned_le32(&buf->InformationBufferOffset);
+ if ((BufOffset > RNDIS_MAX_TOTAL_SIZE - 8) ||
+ (BufLength > RNDIS_MAX_TOTAL_SIZE - 8 - BufOffset))
+ return -EINVAL;
+
r = rndis_add_response(configNr, sizeof(rndis_set_cmplt_type));
if (!r)
return -ENOMEM;
resp = (rndis_set_cmplt_type *) r->buf;
- BufLength = get_unaligned_le32(&buf->InformationBufferLength);
- BufOffset = get_unaligned_le32(&buf->InformationBufferOffset);
-
#ifdef VERBOSE
debug("%s: Length: %d\n", __func__, BufLength);
debug("%s: Offset: %d\n", __func__, BufOffset);
--
2.38.1
^ permalink raw reply related [flat|nested] 9+ messages in thread
* Re: [PATCH v2] usb: gadget: rndis: Prevent InformationBufferOffset manipulation
2022-12-05 9:28 ` [PATCH v2] usb: gadget: rndis: Prevent InformationBufferOffset manipulation Szymon Heidrich
@ 2022-12-09 1:56 ` Marek Vasut
2022-12-09 11:48 ` Szymon Heidrich
0 siblings, 1 reply; 9+ messages in thread
From: Marek Vasut @ 2022-12-09 1:56 UTC (permalink / raw)
To: Szymon Heidrich, festevam, lukma; +Cc: u-boot
On 12/5/22 10:28, Szymon Heidrich wrote:
> Prevent access to arbitrary memory locations in gen_ndis_set_resp
> via manipulation of buf->InformationBufferOffset. Original
> implementation permits manipulation of InformationBufferOffset to
> exploit OID_GEN_CURRENT_PACKET_FILTER to set arbitrary memory contents
> within a 32byte offset as the devices packet filter. The packet filter
> value may be next retrieved using gen_ndis_query_resp so it is possible
> to extract specific memory regions two bytes a time.
>
> The rndis_query_response was not modified as neither the buffer offset
> nor length passed to gen_ndis_query_resp is used.
>
> Signed-off-by: Szymon Heidrich <szymon.heidrich@gmail.com>
> ---
> V1 -> V2: Updated commit message
>
> drivers/usb/gadget/rndis.c | 9 ++++++---
> 1 file changed, 6 insertions(+), 3 deletions(-)
>
> diff --git a/drivers/usb/gadget/rndis.c b/drivers/usb/gadget/rndis.c
> index 13c327ea38..3948f2cc9a 100644
> --- a/drivers/usb/gadget/rndis.c
> +++ b/drivers/usb/gadget/rndis.c
> @@ -855,14 +855,17 @@ static int rndis_set_response(int configNr, rndis_set_msg_type *buf)
> rndis_set_cmplt_type *resp;
> rndis_resp_t *r;
>
> + BufLength = get_unaligned_le32(&buf->InformationBufferLength);
> + BufOffset = get_unaligned_le32(&buf->InformationBufferOffset);
> + if ((BufOffset > RNDIS_MAX_TOTAL_SIZE - 8) ||
> + (BufLength > RNDIS_MAX_TOTAL_SIZE - 8 - BufOffset))
> + return -EINVAL;
> +
> r = rndis_add_response(configNr, sizeof(rndis_set_cmplt_type));
> if (!r)
> return -ENOMEM;
> resp = (rndis_set_cmplt_type *) r->buf;
>
> - BufLength = get_unaligned_le32(&buf->InformationBufferLength);
> - BufOffset = get_unaligned_le32(&buf->InformationBufferOffset);
> -
> #ifdef VERBOSE
> debug("%s: Length: %d\n", __func__, BufLength);
> debug("%s: Offset: %d\n", __func__, BufOffset);
Applied to usb/master, thanks
^ permalink raw reply [flat|nested] 9+ messages in thread
* Re: [PATCH v2] usb: gadget: rndis: Prevent InformationBufferOffset manipulation
2022-12-09 1:56 ` Marek Vasut
@ 2022-12-09 11:48 ` Szymon Heidrich
0 siblings, 0 replies; 9+ messages in thread
From: Szymon Heidrich @ 2022-12-09 11:48 UTC (permalink / raw)
To: Marek Vasut, festevam, lukma; +Cc: u-boot
On 09/12/2022 02:56, Marek Vasut wrote:
> On 12/5/22 10:28, Szymon Heidrich wrote:
>> Prevent access to arbitrary memory locations in gen_ndis_set_resp
>> via manipulation of buf->InformationBufferOffset. Original
>> implementation permits manipulation of InformationBufferOffset to
>> exploit OID_GEN_CURRENT_PACKET_FILTER to set arbitrary memory contents
>> within a 32byte offset as the devices packet filter. The packet filter
>> value may be next retrieved using gen_ndis_query_resp so it is possible
>> to extract specific memory regions two bytes a time.
>>
>> The rndis_query_response was not modified as neither the buffer offset
>> nor length passed to gen_ndis_query_resp is used.
>>
>> Signed-off-by: Szymon Heidrich <szymon.heidrich@gmail.com>
>> ---
>> V1 -> V2: Updated commit message
>>
>> drivers/usb/gadget/rndis.c | 9 ++++++---
>> 1 file changed, 6 insertions(+), 3 deletions(-)
>>
>> diff --git a/drivers/usb/gadget/rndis.c b/drivers/usb/gadget/rndis.c
>> index 13c327ea38..3948f2cc9a 100644
>> --- a/drivers/usb/gadget/rndis.c
>> +++ b/drivers/usb/gadget/rndis.c
>> @@ -855,14 +855,17 @@ static int rndis_set_response(int configNr, rndis_set_msg_type *buf)
>> rndis_set_cmplt_type *resp;
>> rndis_resp_t *r;
>> + BufLength = get_unaligned_le32(&buf->InformationBufferLength);
>> + BufOffset = get_unaligned_le32(&buf->InformationBufferOffset);
>> + if ((BufOffset > RNDIS_MAX_TOTAL_SIZE - 8) ||
>> + (BufLength > RNDIS_MAX_TOTAL_SIZE - 8 - BufOffset))
>> + return -EINVAL;
>> +
>> r = rndis_add_response(configNr, sizeof(rndis_set_cmplt_type));
>> if (!r)
>> return -ENOMEM;
>> resp = (rndis_set_cmplt_type *) r->buf;
>> - BufLength = get_unaligned_le32(&buf->InformationBufferLength);
>> - BufOffset = get_unaligned_le32(&buf->InformationBufferOffset);
>> -
>> #ifdef VERBOSE
>> debug("%s: Length: %d\n", __func__, BufLength);
>> debug("%s: Offset: %d\n", __func__, BufOffset);
>
> Applied to usb/master, thanks
Thank you very much for your time and review.
^ permalink raw reply [flat|nested] 9+ messages in thread
end of thread, other threads:[~2022-12-09 11:48 UTC | newest]
Thread overview: 9+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2022-11-17 19:44 [PATCH] Enforce buffer boundaries on RNDIS USB Gadget Szymon Heidrich
2022-11-20 15:02 ` Fabio Estevam
2022-12-03 14:59 ` Szymon Heidrich
2022-12-04 19:12 ` Marek Vasut
2022-12-04 20:36 ` Szymon Heidrich
2022-12-05 0:41 ` Marek Vasut
2022-12-05 9:28 ` [PATCH v2] usb: gadget: rndis: Prevent InformationBufferOffset manipulation Szymon Heidrich
2022-12-09 1:56 ` Marek Vasut
2022-12-09 11:48 ` Szymon Heidrich
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.