Re: [PATCH v2] usb: gadget: rndis: validate query and set message buffers

Next message: Nicolas Dufresne: "Re: [PATCH 1/4] media: rkvdec: Introduce a global bitwriter helper"
Previous message: Marco Elver: "Re: [PATCH tip/locking/core] compiler-context-analysis: Bump required Clang version to 23"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

From: Greg Kroah-Hartman

Date: Mon Mar 30 2026 - 10:29:55 EST

On Mon, Mar 23, 2026 at 04:08:45PM +0800, Pengpeng Hou wrote:
> rndis_set_response() already checks the host-controlled
> InformationBufferOffset/InformationBufferLength pair before using it,
> but the QUERY path still passes the same fields straight into
> gen_ndis_query_resp(). The parser also does not verify that MsgLength
> fits the actual EP0 request buffer before dispatching the message.
>
> Pass the actual request size into rndis_msg_parser(), reject messages
> whose MsgLength exceeds the received buffer, and apply the same offset
> and length validation to QUERY and SET requests before dereferencing the
> embedded information buffer.
>
> Signed-off-by: Pengpeng Hou <pengpeng@xxxxxxxxxxx>
> ---
> v2:
> - add commit message context and fix rationale
> - no code changes

Have you tested this? I remember lots of issues like this in the
protocol, so this might not be the only one in here. I really just want
to delete this code entirely, but some people really like to talk to old
obsolete Windows systems :(

thanks,

greg k-h