• Ignat Korchagin's avatar
    USB: usbip: fix potential out-of-bounds write · b348d7dd
    Ignat Korchagin authored
    Fix potential out-of-bounds write to urb->transfer_buffer
    usbip handles network communication directly in the kernel. When receiving a
    packet from its peer, usbip code parses headers according to protocol. As
    part of this parsing urb->actual_length is filled. Since the input for
    urb->actual_length comes from the network, it should be treated as untrusted.
    Any entity controlling the network may put any value in the input and the
    preallocated urb->transfer_buffer may not be large enough to hold the data.
    Thus, the malicious entity is able to write arbitrary data to kernel memory.
    Signed-off-by: default avatarIgnat Korchagin <ignat.korchagin@gmail.com>
    Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
    b348d7dd
usbip_common.c 19.6 KB