Re: [PATCH v2] usb: gadget: rndis: validate query and set message buffers

Next message: Lance Yang: "Re: [syzbot] [mm?] WARNING in deferred_split_folio"
Previous message: Greg KH: "Re: [PATCH] usb: gadget: f_uac1_legacy: validate control request size"
Next in thread: Greg KH: "Re: [PATCH v2] usb: gadget: rndis: validate query and set message buffers"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

From: Pengpeng Hou

Date: Wed Apr 01 2026 - 07:40:35 EST

Hi Greg,

I have not tested this against an actual RNDIS host/device setup yet.

For clarity, v2 did not change the code from v1; it only expanded the
commit message.

What I was trying to fix here is limited to two current-tree checks that
are missing today:

1. rndis_msg_parser() reads MsgLength from the request body but does not
verify that it fits within the actual EP0 request buffer length.

2. rndis_set_response() validates the host-controlled
InformationBufferOffset/InformationBufferLength pair before using it,
but rndis_query_response() still passes the same fields directly into
gen_ndis_query_resp() without corresponding bounds validation.

I do not mean this patch to claim that these are the only issues in the
RNDIS parser.

If you want runtime testing before considering this further, I can stop
here until I can test it properly.

Thanks,
Pengpeng