original_kernel/drivers/usb/usbip
Ignat Korchagin b348d7dddb USB: usbip: fix potential out-of-bounds write
Fix potential out-of-bounds write to urb->transfer_buffer
usbip handles network communication directly in the kernel. When receiving a
packet from its peer, usbip code parses headers according to protocol. As
part of this parsing urb->actual_length is filled. Since the input for
urb->actual_length comes from the network, it should be treated as untrusted.
Any entity controlling the network may put any value in the input and the
preallocated urb->transfer_buffer may not be large enough to hold the data.
Thus, the malicious entity is able to write arbitrary data to kernel memory.

Signed-off-by: Ignat Korchagin <ignat.korchagin@gmail.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
2016-03-30 21:55:36 -07:00
..
Kconfig
Makefile
README
stub.h
stub_dev.c
stub_main.c
stub_rx.c
stub_tx.c
usbip_common.c USB: usbip: fix potential out-of-bounds write 2016-03-30 21:55:36 -07:00
usbip_common.h
usbip_event.c
vhci.h
vhci_hcd.c
vhci_rx.c
vhci_sysfs.c
vhci_tx.c

README

TODO:
	- more discussion about the protocol
	- testing
	- review of the userspace interface
	- document the protocol

Please send patches for this code to Greg Kroah-Hartman <greg@kroah.com>