BACKPORT: usb: gadget: rndis: prevent integer overflow in rndis_set_response()
commit 65f3324f upstream. If "BufOffset" is very large the "BufOffset + 8" operation can have an integer overflow. Bug: 239842288 Cc: stable@kernel.org Fixes: 38ea1eac ("usb: gadget: rndis: check size of RNDIS_MSG_SET command") Signed-off-by:Dan Carpenter <dan.carpenter@oracle.com> Link: https://lore.kernel.org/r/20220301080424.GA17208@kili Signed-off-by:
Greg Kroah-Hartman <gregkh@linuxfoundation.org> Signed-off-by:
Lee Jones <joneslee@google.com> Change-Id: I4dcecb9ada2680a4211e5ccc9b27de2df964e404
Loading
Please sign in to comment