Re: [PATCH] Prevent buffer overflow on USB control endpoint

On 16/12/2022 04:22, Marek Vasut wrote: > On 11/20/22 18:42, Szymon Heidrich wrote: >> On 20/11/2022 18:25, Marek Vasut wrote: >>> On 11/20/22 16:29, Szymon Heidrich wrote: >>>> On 20/11/2022 15:43, Marek Vasut wrote: >>>>> On 11/17/22 12:50, Fabio E

Re: [PATCH] Prevent buffer overflow on USB control endpoint

On 28/11/2022 10:27, Marek Vasut wrote: > On 11/28/22 10:21, Szymon Heidrich wrote: >> On 20/11/2022 16:29, Szymon Heidrich wrote: >>> On 20/11/2022 15:43, Marek Vasut wrote: >>>> On 11/17/22 12:50, Fabio Estevam wrote: >>>>> [Adding Lukasz and Marek

Re: [PATCH v2] usb: gadget: rndis: Prevent InformationBufferOffset manipulation

On 09/12/2022 02:56, Marek Vasut wrote: > On 12/5/22 10:28, Szymon Heidrich wrote: >> Prevent access to arbitrary memory locations in gen_ndis_set_resp >> via manipulation of buf->InformationBufferOffset. Original >> implementation permits manipulation of InformationBu

[PATCH v2] usb: gadget: rndis: Prevent InformationBufferOffset manipulation

-by: Szymon Heidrich --- V1 -> V2: Updated commit message drivers/usb/gadget/rndis.c | 9 ++--- 1 file changed, 6 insertions(+), 3 deletions(-) diff --git a/drivers/usb/gadget/rndis.c b/drivers/usb/gadget/rndis.c index 13c327ea38..3948f2cc9a 100644 --- a/drivers/usb/gadget/rndis.c +++ b/drive

Re: [PATCH] Enforce buffer boundaries on RNDIS USB Gadget

On 04/12/2022 20:12, Marek Vasut wrote: > On 12/3/22 15:59, Szymon Heidrich wrote: >> On 20/11/2022 16:02, Fabio Estevam wrote: >>> Szymon, >>> >>> On Thu, Nov 17, 2022 at 4:46 PM Szymon Heidrich >>> wrote: >>>> >>>> Preve

Re: [PATCH] Enforce buffer boundaries on RNDIS USB Gadget

On 20/11/2022 16:02, Fabio Estevam wrote: > Szymon, > > On Thu, Nov 17, 2022 at 4:46 PM Szymon Heidrich > wrote: >> >> Prevent access to arbitrary memory locations in gen_ndis_set_resp >> via manipulation of buf->InformationBufferOffset. Lack of validation >

Re: [PATCH] Prevent buffer overflow on USB control endpoint

On 20/11/2022 16:29, Szymon Heidrich wrote: > On 20/11/2022 15:43, Marek Vasut wrote: >> On 11/17/22 12:50, Fabio Estevam wrote: >>> [Adding Lukasz and Marek] >>> >>> On Thu, Nov 17, 2022 at 6:50 AM Szymon Heidrich >>> wrote: >>>> >&g

Re: [PATCH] Prevent buffer overflow on USB control endpoint

On 20/11/2022 18:25, Marek Vasut wrote: > On 11/20/22 16:29, Szymon Heidrich wrote: >> On 20/11/2022 15:43, Marek Vasut wrote: >>> On 11/17/22 12:50, Fabio Estevam wrote: >>>> [Adding Lukasz and Marek] >>>> >>>> On Thu, Nov 17, 2022 at 6:50 A

Re: [PATCH] Prevent buffer overflow on USB control endpoint

On 20/11/2022 15:43, Marek Vasut wrote: > On 11/17/22 12:50, Fabio Estevam wrote: >> [Adding Lukasz and Marek] >> >> On Thu, Nov 17, 2022 at 6:50 AM Szymon Heidrich >> wrote: >>> >>> Assure that the control endpoint buffer of size USB_BUFSIZ (4096) &g

[PATCH] Enforce buffer boundaries on RNDIS USB Gadget

Prevent access to arbitrary memory locations in gen_ndis_set_resp via manipulation of buf->InformationBufferOffset. Lack of validation of BufOffset could be exploited to dump arbitrary memory contents via NDIS packet filter. Signed-off-by: Szymon Heidrich --- drivers/usb/gadget/rndis.c

[PATCH] Prevent buffer overflow on USB control endpoint

Assure that the control endpoint buffer of size USB_BUFSIZ (4096) can not be overflown during handling of USB control transfer requests with wLength greater than USB_BUFSIZ. Signed-off-by: Szymon Heidrich --- drivers/usb/gadget/composite.c | 11 +++ 1 file changed, 11 insertions

USB Device buffer overflow

case 2: > value = len; > req->complete = sdp_rx_data_complete; > sdp_func->state = SDP_STATE_RX_FILE_DATA_BUSY; > break; > } > } > } Please find attached a patch addressing this issue. Depending on request dir