From: Dan Carpenter dan.carpenter@oracle.com
mainline inclusion from mainline-v5.17 commit 65f3324f4b6fed78b8761c3b74615ecf0ffa81fa category: bugfix bugzilla: https://gitee.com/openeuler/kernel/issues/I5KBY1 CVE: NA
--------------------------------
If "BufOffset" is very large the "BufOffset + 8" operation can have an integer overflow.
Cc: stable@kernel.org Fixes: 38ea1eac7d88 ("usb: gadget: rndis: check size of RNDIS_MSG_SET command") Signed-off-by: Dan Carpenter dan.carpenter@oracle.com Link: https://lore.kernel.org/r/20220301080424.GA17208@kili Signed-off-by: Greg Kroah-Hartman gregkh@linuxfoundation.org Signed-off-by: Jialin Zhang zhangjialin11@huawei.com Reviewed-by: Wei Li liwei391@huawei.com Signed-off-by: Yongqiang Liu liuyongqiang13@huawei.com --- drivers/usb/gadget/function/rndis.c | 1 + 1 file changed, 1 insertion(+)
diff --git a/drivers/usb/gadget/function/rndis.c b/drivers/usb/gadget/function/rndis.c index 6c6d819e6c2d..6e92549f2567 100644 --- a/drivers/usb/gadget/function/rndis.c +++ b/drivers/usb/gadget/function/rndis.c @@ -658,6 +658,7 @@ static int rndis_set_response(struct rndis_params *params, BufLength = le32_to_cpu(buf->InformationBufferLength); BufOffset = le32_to_cpu(buf->InformationBufferOffset); if ((BufLength > RNDIS_MAX_TOTAL_SIZE) || + (BufOffset > RNDIS_MAX_TOTAL_SIZE) || (BufOffset + 8 >= RNDIS_MAX_TOTAL_SIZE)) return -EINVAL;