10de839538c3b4f31709517aa626fb090845a90c - kernel/common

commit	10de839538c3b4f31709517aa626fb090845a90c	[log] [tgz]
author	Dan Carpenter <[email protected]>	Tue Mar 01 11:04:24 2022 +0300
committer	Todd Kjos <[email protected]>	Wed Aug 17 13:45:06 2022 -0700
tree	712539f6184df8a6a45354801ac48674a6c62c2f
parent	83882a5b5908de831111277d77adb2fe113e90a6 [diff]

usb: gadget: rndis: prevent integer overflow in rndis_set_response()

commit 65f3324f4b6fed78b8761c3b74615ecf0ffa81fa upstream.

If "BufOffset" is very large the "BufOffset + 8" operation can have an
integer overflow.

Cc: [email protected]
Fixes: 38ea1eac7d88 ("usb: gadget: rndis: check size of RNDIS_MSG_SET command")
Signed-off-by: Dan Carpenter <[email protected]>
Link: https://lore.kernel.org/r/20220301080424.GA17208@kili
Signed-off-by: Greg Kroah-Hartman <[email protected]>

drivers/usb/gadget/function/rndis.c[diff]

1 file changed