mirrors
/
linux-stable
mirror of https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git
1
0
Fork 0
Code Issues Releases Wiki Activity

[PATCH] USB: Gadget RNDIS fix alloc bug. (buffer overflow) 

Remote NDIS response to OID_GEN_SUPPORTED_LIST only allocated space
for the data attached to the reply, and not the reply structure
itself. This caused other kmalloc'd memory to be corrupted.

Signed-off-by: Shaun Tancheff <shaun@tancheff.com>
Signed-off-by: David Brownell <dbrownell@users.sourceforge.net>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
This commit is contained in:
Shaun Tancheff 2006-02-22 19:47:19 -08:00 committed by Greg Kroah-Hartman
parent d5ec33490c
commit 8763716bfe
1 changed files with 7 additions and 4 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

11
drivers/usb/gadget/rndis.c
View File

@ -853,11 +853,14 @@ static int rndis_query_response (int configNr, rndis_query_msg_type *buf)
// DEBUG("%s: OID = %08X\n", __FUNCTION__, cpu_to_le32(buf->OID));
if (!rndis_per_dev_params [configNr].dev) return -ENOTSUPP;
/*
* we need more memory:
* oid_supported_list is the largest answer
/*
* we need more memory:
* gen_ndis_query_resp expects enough space for
* rndis_query_cmplt_type followed by data.
* oid_supported_list is the largest data reply
*/
r = rndis_add_response (configNr, sizeof (oid_supported_list));
r = rndis_add_response (configNr,
sizeof (oid_supported_list) + sizeof(rndis_query_cmplt_type));
if (!r)
return -ENOMEM;
resp = (rndis_query_cmplt_type *) r->buf;