diff options
| author | Shaun Tancheff <shaun@tancheff.com> | 2006-02-22 22:47:19 -0500 |
|---|---|---|
| committer | Greg Kroah-Hartman <gregkh@suse.de> | 2006-02-28 15:42:06 -0500 |
| commit | 8763716bfe4d8a16bef28c9947cf9d799b1796a5 (patch) | |
| tree | f0e8d0dcbf55953ea084f110c013743716b2a068 /drivers | |
| parent | d5ec33490c67affef93aebf76e1238260c82d377 (diff) | |
[PATCH] USB: Gadget RNDIS fix alloc bug. (buffer overflow)
Remote NDIS response to OID_GEN_SUPPORTED_LIST only allocated space
for the data attached to the reply, and not the reply structure
itself. This caused other kmalloc'd memory to be corrupted.
Signed-off-by: Shaun Tancheff <shaun@tancheff.com>
Signed-off-by: David Brownell <dbrownell@users.sourceforge.net>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
Diffstat (limited to 'drivers')
| -rw-r--r-- | drivers/usb/gadget/rndis.c | 11 |
1 files changed, 7 insertions, 4 deletions
diff --git a/drivers/usb/gadget/rndis.c b/drivers/usb/gadget/rndis.c index 9689efeb364c..6d6eaad73968 100644 --- a/drivers/usb/gadget/rndis.c +++ b/drivers/usb/gadget/rndis.c | |||
| @@ -853,11 +853,14 @@ static int rndis_query_response (int configNr, rndis_query_msg_type *buf) | |||
| 853 | // DEBUG("%s: OID = %08X\n", __FUNCTION__, cpu_to_le32(buf->OID)); | 853 | // DEBUG("%s: OID = %08X\n", __FUNCTION__, cpu_to_le32(buf->OID)); |
| 854 | if (!rndis_per_dev_params [configNr].dev) return -ENOTSUPP; | 854 | if (!rndis_per_dev_params [configNr].dev) return -ENOTSUPP; |
| 855 | 855 | ||
| 856 | /* | 856 | /* |
| 857 | * we need more memory: | 857 | * we need more memory: |
| 858 | * oid_supported_list is the largest answer | 858 | * gen_ndis_query_resp expects enough space for |
| 859 | * rndis_query_cmplt_type followed by data. | ||
| 860 | * oid_supported_list is the largest data reply | ||
| 859 | */ | 861 | */ |
| 860 | r = rndis_add_response (configNr, sizeof (oid_supported_list)); | 862 | r = rndis_add_response (configNr, |
| 863 | sizeof (oid_supported_list) + sizeof(rndis_query_cmplt_type)); | ||
| 861 | if (!r) | 864 | if (!r) |
| 862 | return -ENOMEM; | 865 | return -ENOMEM; |
| 863 | resp = (rndis_query_cmplt_type *) r->buf; | 866 | resp = (rndis_query_cmplt_type *) r->buf; |