| commit | fe3c546c5ff2a6210f9a4d8561cc64051ca8603e | |
| author | Prasad J Pandit <pjp@fedoraproject.org> | |
| Tue, 16 Feb 2016 18:53:41 +0000 (17 00:23 +0530) | ||
| committer | Gerd Hoffmann <kraxel@redhat.com> | |
| Tue, 23 Feb 2016 09:38:01 +0000 (23 10:38 +0100) | ||
| tree | a03737fc0dd0904f6b6afc0b7c07c87064450ca5 | treesnapshot (tar.gz zip) |
| parent | 64c9bc181fc78275596649f591302d72df2d3071 | commitdiff |
usb: check RNDIS buffer offsets & length
When processing remote NDIS control message packets,
the USB Net device emulator uses a fixed length(4096) data buffer.
The incoming informationBufferOffset & Length combination could
overflow and cross that range. Check control message buffer
offsets and length to avoid it.
Reported-by: Qinghao Tang <luodalongde@gmail.com>
Signed-off-by: Prasad J Pandit <pjp@fedoraproject.org>
Message-id: 1455648821-17340-3-git-send-email-ppandit@redhat.com
Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>
When processing remote NDIS control message packets,
the USB Net device emulator uses a fixed length(4096) data buffer.
The incoming informationBufferOffset & Length combination could
overflow and cross that range. Check control message buffer
offsets and length to avoid it.
Reported-by: Qinghao Tang <luodalongde@gmail.com>
Signed-off-by: Prasad J Pandit <pjp@fedoraproject.org>
Message-id: 1455648821-17340-3-git-send-email-ppandit@redhat.com
Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>
| hw/usb/dev-network.c | diffblobblamehistory |