From: Szymon Heidrich Date: Mon, 5 Dec 2022 09:28:23 +0000 (+0100) Subject: usb: gadget: rndis: Prevent InformationBufferOffset manipulation X-Git-Url: http://git.dujemihanovic.xyz/?a=commitdiff_plain;h=51a0e215ec8ce9cc88f928373e9ce8303db1829b;p=u-boot.git usb: gadget: rndis: Prevent InformationBufferOffset manipulation Prevent access to arbitrary memory locations in gen_ndis_set_resp via manipulation of buf->InformationBufferOffset. Original implementation permits manipulation of InformationBufferOffset to exploit OID_GEN_CURRENT_PACKET_FILTER to set arbitrary memory contents within a 32byte offset as the devices packet filter. The packet filter value may be next retrieved using gen_ndis_query_resp so it is possible to extract specific memory regions two bytes a time. The rndis_query_response was not modified as neither the buffer offset nor length passed to gen_ndis_query_resp is used. Signed-off-by: Szymon Heidrich --- diff --git a/drivers/usb/gadget/rndis.c b/drivers/usb/gadget/rndis.c index 13c327ea38..3948f2cc9a 100644 --- a/drivers/usb/gadget/rndis.c +++ b/drivers/usb/gadget/rndis.c @@ -855,14 +855,17 @@ static int rndis_set_response(int configNr, rndis_set_msg_type *buf) rndis_set_cmplt_type *resp; rndis_resp_t *r; + BufLength = get_unaligned_le32(&buf->InformationBufferLength); + BufOffset = get_unaligned_le32(&buf->InformationBufferOffset); + if ((BufOffset > RNDIS_MAX_TOTAL_SIZE - 8) || + (BufLength > RNDIS_MAX_TOTAL_SIZE - 8 - BufOffset)) + return -EINVAL; + r = rndis_add_response(configNr, sizeof(rndis_set_cmplt_type)); if (!r) return -ENOMEM; resp = (rndis_set_cmplt_type *) r->buf; - BufLength = get_unaligned_le32(&buf->InformationBufferLength); - BufOffset = get_unaligned_le32(&buf->InformationBufferOffset); - #ifdef VERBOSE debug("%s: Length: %d\n", __func__, BufLength); debug("%s: Offset: %d\n", __func__, BufOffset);