References to Advisories, Solutions, and Tools

By selecting these links, you will be leaving NIST webspace. We have provided these links to other web sites because they may have information that would be of interest to you. No inferences should be drawn on account of other sites being referenced, or not, from this page. There may be other web sites that are more appropriate for your purpose. NIST does not necessarily endorse the views expressed, or concur with the facts presented on these sites. Further, NIST does not endorse any commercial products that may be mentioned on these sites. Please address comments about this page to [email protected].

Change History

In the Linux kernel, the following vulnerability has been resolved:

net: usb: cdc_ncm: add ndpoffset to NDP32 nframes bounds check

The same bounds-check bug fixed for NDP16 in the previous patch also
exists in cdc_ncm_rx_verify_ndp32(). The DPE array size is validated
against the total skb length without accounting for ndpoffset, allowing
out-of-bounds reads when the NDP32 is placed near the end of the NTB.

Add ndpoffset to the nframes bounds check and use struct_size_t() to
express the NDP-plus-DPE-array size more clearly.

Compile-tested only.

https://git.kernel.org/stable/c/125f932a76a97904ef8a555f1dd53e5d0e288c54

https://git.kernel.org/stable/c/77914255155e68a20aa41175edeecf8121dac391

https://git.kernel.org/stable/c/a5bd5a2710310c965ea4153cba4210988a3454e2

https://git.kernel.org/stable/c/af0d1613d6751489dbf9f69aac1123f0b1e566e5

https://git.kernel.org/stable/c/de70da1fb1d152e981ecb3157f7ec2b633005c16