| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <tencent_693B44F3060A525A26EEC5ED8DFF5E92C906@qq.com> Date: Fri, 11 Jul 2025 14:40:19 +0800 From: jackysliu <1972843537@...com> To: gregkh@...uxfoundation.org Cc: 1972843537@...com, linux-kernel@...r.kernel.org, linux-usb@...r.kernel.org, viro@...iv.linux.org.uk Subject: Re: [PATCH v2] usb: gadget: functioni: Fix a oob problem in rndis On Fri, Jul 11, 2025 at 11:46:35AM +0800, greg k-h wrote >Sure, but again, BufLength is not used for anything, so the value of >that variable means nothing as far as I can tell. >How exactly? Again, BufLength isn't even used in that function function contains below code: if (gen_ndis_set_resp(params, le32_to_cpu(buf->OID), ((u8 *)buf) + 8 + BufOffset, BufLength, r)) ((u8 *)buf) + 8 + BufOffset determins base address of buffer and BufLength determins buflen. >How was this tested? > >And even more importantly, how did you find this bug? What triggered >it? I detected this problem through static analysis and calibrated the device via qemu emulation. Anyway,this problem seems hard to fix, I'll try my best. Thanks Thanks Siyang Liu
Powered by blists - more mailing lists