From: Szymon Heidrich <szymon.heidrich@gmail.com>
To: Fabio Estevam <festevam@gmail.com>,
Lukasz Majewski <lukma@denx.de>, Marek Vasut <marex@denx.de>
Cc: u-boot@lists.denx.de
Subject: Re: [PATCH] Enforce buffer boundaries on RNDIS USB Gadget
Date: Sat, 3 Dec 2022 15:59:37 +0100 [thread overview]
Message-ID: <0625e391-ce84-20be-e89e-94f4e961c44c@gmail.com> (raw)
In-Reply-To: <CAOMZO5AOMfwZKx5t5i3yJFskx3xjAP2bf6yjLmPJd9qaLatUng@mail.gmail.com>
On 20/11/2022 16:02, Fabio Estevam wrote:
> Szymon,
>
> On Thu, Nov 17, 2022 at 4:46 PM Szymon Heidrich
> <szymon.heidrich@gmail.com> wrote:
>>
>> Prevent access to arbitrary memory locations in gen_ndis_set_resp
>> via manipulation of buf->InformationBufferOffset. Lack of validation
>> of BufOffset could be exploited to dump arbitrary memory contents
>> via NDIS packet filter.
>>
>> Signed-off-by: Szymon Heidrich <szymon.heidrich@gmail.com>
>
> Please run ./scripts/get_maintainer.pl on your patch and copy the maintainers.
>
Hello Fabio,
Sorry I missed adding Lukasz and Marek - I'll keep that in mind for future.
Is there anything else missing from my side?
Best regards,
Szymon
>
>> ---
>> drivers/usb/gadget/rndis.c | 9 ++++++---
>> 1 file changed, 6 insertions(+), 3 deletions(-)
>>
>> diff --git a/drivers/usb/gadget/rndis.c b/drivers/usb/gadget/rndis.c
>> index 13c327ea38..3948f2cc9a 100644
>> --- a/drivers/usb/gadget/rndis.c
>> +++ b/drivers/usb/gadget/rndis.c
>> @@ -855,14 +855,17 @@ static int rndis_set_response(int configNr, rndis_set_msg_type *buf)
>> rndis_set_cmplt_type *resp;
>> rndis_resp_t *r;
>>
>> + BufLength = get_unaligned_le32(&buf->InformationBufferLength);
>> + BufOffset = get_unaligned_le32(&buf->InformationBufferOffset);
>> + if ((BufOffset > RNDIS_MAX_TOTAL_SIZE - 8) ||
>> + (BufLength > RNDIS_MAX_TOTAL_SIZE - 8 - BufOffset))
>> + return -EINVAL;
>> +
>> r = rndis_add_response(configNr, sizeof(rndis_set_cmplt_type));
>> if (!r)
>> return -ENOMEM;
>> resp = (rndis_set_cmplt_type *) r->buf;
>>
>> - BufLength = get_unaligned_le32(&buf->InformationBufferLength);
>> - BufOffset = get_unaligned_le32(&buf->InformationBufferOffset);
>> -
>> #ifdef VERBOSE
>> debug("%s: Length: %d\n", __func__, BufLength);
>> debug("%s: Offset: %d\n", __func__, BufOffset);
>> --
>> 2.38.1
>>
next prev parent reply other threads:[~2022-12-03 14:59 UTC|newest]
Thread overview: 9+ messages / expand[flat|nested] mbox.gz Atom feed top
2022-11-17 19:44 [PATCH] Enforce buffer boundaries on RNDIS USB Gadget Szymon Heidrich
2022-11-20 15:02 ` Fabio Estevam
2022-12-03 14:59 ` Szymon Heidrich [this message]
2022-12-04 19:12 ` Marek Vasut
2022-12-04 20:36 ` Szymon Heidrich
2022-12-05 0:41 ` Marek Vasut
2022-12-05 9:28 ` [PATCH v2] usb: gadget: rndis: Prevent InformationBufferOffset manipulation Szymon Heidrich
2022-12-09 1:56 ` Marek Vasut
2022-12-09 11:48 ` Szymon Heidrich
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=0625e391-ce84-20be-e89e-94f4e961c44c@gmail.com \
--to=szymon.heidrich@gmail.com \
--cc=festevam@gmail.com \
--cc=lukma@denx.de \
--cc=marex@denx.de \
--cc=u-boot@lists.denx.de \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox