iv/linux
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
linux/drivers/net
History
Szymon Heidrich 232ef345e5 usb: rndis_host: Secure rndis_query check against int overflow 
[ Upstream commit c7dd13805f8b8fc1ce3b6d40f6aff47e66b72ad2 ]

Variables off and len typed as uint32 in rndis_query function
are controlled by incoming RNDIS response message thus their
value may be manipulated. Setting off to a unexpectetly large
value will cause the sum with len and 8 to overflow and pass
the implemented validation step. Consequently the response
pointer will be referring to a location past the expected
buffer boundaries allowing information leakage e.g. via
RNDIS_OID_802_3_PERMANENT_ADDRESS OID.

Fixes: ddda08624013 ("USB: rndis_host, various cleanups")
Signed-off-by: Szymon Heidrich <szymon.heidrich@gmail.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Sasha Levin <sashal@kernel.org>
2023-01-14 10:16:48 +01:00
..
appletalk
arcnet
arcnet: fix potential memory leak in com20020_probe()
2022-12-02 17:40:02 +01:00
bonding
drivers/net/bonding/bond_3ad: return when there's no aggregator
2023-01-14 10:16:48 +01:00
caif
caif_virtio: fix race between virtio_device_ready() and ndo_open()
2022-07-07 17:52:18 +02:00
can
can: tcan4x5x: Remove invalid write in clear_interrupts
2023-01-14 10:15:44 +01:00
dsa
net: lan9303: Fix read error execution path
2023-01-14 10:15:44 +01:00
ethernet
net: amd-xgbe: add missed tasklet_kill
2023-01-14 10:16:46 +01:00
fddi
net: defxx: Fix missing err handling in dfx_init()
2023-01-14 10:15:42 +01:00
fjes
hamradio
hamradio: baycom_epp: Fix return type of baycom_send_packet()
2023-01-14 10:16:16 +01:00
hippi
drivers: net: hippi: Fix deadlock in rr_close()
2022-05-09 09:05:06 +02:00
hyperv
hv_netvsc: Fix race between VF offering and VF association message from host
2022-10-30 09:41:19 +01:00
ieee802154
ca8210: Fix crash by zero initializing data
2022-12-14 11:32:00 +01:00
ipa
net: ipa: properly limit modem routing table use
2022-09-28 11:10:34 +02:00
ipvlan
ipvlan: Fix out-of-bound bugs caused by unset skb->mac_header
2022-09-28 11:10:30 +02:00
mdio
of: mdio: Add of_node_put() when breaking out of for_each_xx
2022-09-28 11:10:33 +02:00
netdevsim
net: Use u64_stats_fetch_begin_irq() for stats fetch.
2022-09-08 11:11:40 +02:00
pcs
phy
net: phy: xgmiitorgmii: Fix refcount leak in xgmiitorgmii_probe
2023-01-14 10:16:47 +01:00
plip
net: plip: don't call kfree_skb/dev_kfree_skb() under spin_lock_irq()
2022-12-14 11:32:04 +01:00
ppp
ppp: associate skb with a device at tx
2023-01-14 10:16:18 +01:00
slip
drivers: net: slip: fix NPD bug in sl_tx_timeout()
2022-04-20 09:23:24 +02:00
team
net: team: Unsync device addresses on ndo_stop
2022-09-28 11:10:31 +02:00
usb
usb: rndis_host: Secure rndis_query check against int overflow
2023-01-14 10:16:48 +01:00
vmxnet3
vmxnet3: correctly report csum_level for encapsulated packet
2023-01-14 10:16:45 +01:00
wan
net: farsync: Fix kmemleak when rmmods farsync
2023-01-14 10:15:43 +01:00
wimax
wireguard
wireguard: netlink: avoid variable-sized memcpy on sockaddr
2022-09-28 11:10:34 +02:00
wireless
wifi: wilc1000: sdio: fix module autoloading
2023-01-14 10:16:35 +01:00
xen-netback
xen/netback: fix build warning
2022-12-14 11:32:04 +01:00
bareudp.c
bareudp: use ipv6_mod_enabled to check if IPv6 enabled
2022-04-08 14:40:22 +02:00
dummy.c
eql.c
geneve.c
geneve: fix TOS inheriting for ipv4
2022-08-25 11:38:02 +02:00
gtp.c
ifb.c
Kconfig
lib/crypto: blake2s: include as built-in
2022-05-30 09:33:26 +02:00
LICENSE.SRC
loopback.c
net: loopback: use NET_NAME_PREDICTABLE for name_assign_type
2022-12-21 17:32:08 +01:00
macsec.c
net: macsec: fix net device access prior to holding a lock
2023-01-14 10:16:09 +01:00
macvlan.c
macvlan: enforce a consistent minimal mtu
2022-11-25 17:45:55 +01:00
macvtap.c
macvtap: advertise link netns via netlink
2022-04-13 21:00:59 +02:00
Makefile
mdio.c
mii.c
net_failover.c
netconsole.c
nlmon.c
ntb_netdev.c
ntb_netdev: Use dev_kfree_skb_any() in interrupt context
2023-01-14 10:15:44 +01:00
rionet.c
sb1000.c
Space.c
sungem_phy.c
net: sungem_phy: Add of_node_put() for reference returned by of_get_parent()
2022-08-03 12:00:46 +02:00
tap.c
tuntap: add sanity checks about msg_controllen in sendmsg
2022-04-13 21:00:59 +02:00
thunderbolt.c
net: thunderbolt: Fix error handling in tbnet_init()
2022-11-25 17:45:48 +01:00
tun.c
net: tun: Fix use-after-free in tun_detach()
2022-12-08 11:23:56 +01:00
veth.c
veth: Fix race with AF_XDP exposing old or uninitialized descriptors
2023-01-14 10:16:45 +01:00
virtio_net.c
virtio_net: fix memory leak inside XPD_TX with mergeable
2022-08-25 11:37:57 +02:00
vrf.c
vsockmon.c
vxlan.c
vxlan: fix error return code in vxlan_fdb_append
2022-04-27 13:53:53 +02:00
xen-netfront.c
xen-netfront: Fix NULL sring after live migration
2022-12-14 11:32:02 +01:00