superrob1500
/
mirror-linux
mirror of https://github.com/torvalds/linux
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity
mirror-linux/drivers/net/wireless
History
Szymon Heidrich 7794efa358 wifi: rndis_wlan: Prevent buffer overflow in rndis_query_oid 
[ Upstream commit b870e73a56 ]

Since resplen and respoffs are signed integers sufficiently
large values of unsigned int len and offset members of RNDIS
response will result in negative values of prior variables.
This may be utilized to bypass implemented security checks
to either extract memory contents by manipulating offset or
overflow the data buffer via memcpy by manipulating both
offset and len.

Additionally assure that sum of resplen and respoffs does not
overflow so buffer boundaries are kept.

Fixes: 80f8c5b434 ("rndis_wlan: copy only useful data from rndis_command respond")
Signed-off-by: Szymon Heidrich <szymon.heidrich@gmail.com>
Reviewed-by: Alexander Duyck <alexanderduyck@fb.com>
Signed-off-by: Kalle Valo <kvalo@kernel.org>
Link: https://lore.kernel.org/r/20230111175031.7049-1-szymon.heidrich@gmail.com
Signed-off-by: Sasha Levin <sashal@kernel.org>
 		2023-02-01 08:34:18 +01:00
..
admtek
ath wifi: ath11k: Send PME message during wakeup from D3cold 2023-01-12 12:02:58 +01:00
atmel wifi: move from strlcpy with unused retval to strscpy 2022-09-02 11:47:22 +03:00
broadcom wifi: brcmfmac: fix regression for Broadcom PCIe wifi devices 2023-01-24 07:24:32 +01:00
cisco wifi: airo: do not assign -1 to unsigned char 2022-11-01 11:15:15 +02:00
intel wifi: iwlwifi: fw: skip PPAG for JF 2023-01-24 07:24:30 +01:00
intersil wifi: p54: Fix comment typo 2022-09-07 10:59:37 +03:00
marvell treewide: use get_random_u32() when possible 2022-10-11 17:42:58 -06:00
mediatek wifi: mt76: do not run mt76u_status_worker if the device is not running 2022-12-31 13:33:04 +01:00
microchip wifi: wilc1000: sdio: fix module autoloading 2023-01-07 11:11:51 +01:00
purelifi wifi: plfxlc: fix potential memory leak in __lf_x_usb_enable_rx() 2022-12-31 13:32:18 +01:00
quantenna treewide: use get_random_u32() when possible 2022-10-11 17:42:58 -06:00
ralink wifi: rt2x00: use explicitly signed or unsigned types 2022-10-21 09:59:39 +03:00
realtek wifi: rtl8xxxu: Fix the channel width reporting 2022-12-31 13:32:25 +01:00
rsi wifi: rsi: Fix handling of 802.3 EAPOL frames sent via control port 2022-12-31 13:32:09 +01:00
silabs wifi: wfx: prevent underflow in wfx_send_pds() 2022-09-02 11:44:35 +03:00
st treewide: use get_random_{u8,u16}() when possible, part 1 2022-10-11 17:42:58 -06:00
ti treewide: use get_random_u32() when possible 2022-10-11 17:42:58 -06:00
zydas
Kconfig
Makefile
mac80211_hwsim.c wifi: mac80211_hwsim: fix debugfs attribute ps with rc table support 2022-10-21 12:37:28 +02:00
mac80211_hwsim.h
ray_cs.c
ray_cs.h
rayctl.h
rndis_wlan.c wifi: rndis_wlan: Prevent buffer overflow in rndis_query_oid 2023-02-01 08:34:18 +01:00
virt_wifi.c
wl3501.h
wl3501_cs.c wifi: move from strlcpy with unused retval to strscpy 2022-09-02 11:47:22 +03:00