Commit 8763716b authored by Shaun Tancheff's avatar Shaun Tancheff Committed by Greg Kroah-Hartman

[PATCH] USB: Gadget RNDIS fix alloc bug. (buffer overflow)

Remote NDIS response to OID_GEN_SUPPORTED_LIST only allocated space
for the data attached to the reply, and not the reply structure
itself. This caused other kmalloc'd memory to be corrupted.
Signed-off-by: default avatarShaun Tancheff <shaun@tancheff.com>
Signed-off-by: default avatarDavid Brownell <dbrownell@users.sourceforge.net>
Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@suse.de>
parent d5ec3349
......@@ -853,11 +853,14 @@ static int rndis_query_response (int configNr, rndis_query_msg_type *buf)
// DEBUG("%s: OID = %08X\n", __FUNCTION__, cpu_to_le32(buf->OID));
if (!rndis_per_dev_params [configNr].dev) return -ENOTSUPP;
/*
* we need more memory:
* oid_supported_list is the largest answer
/*
* we need more memory:
* gen_ndis_query_resp expects enough space for
* rndis_query_cmplt_type followed by data.
* oid_supported_list is the largest data reply
*/
r = rndis_add_response (configNr, sizeof (oid_supported_list));
r = rndis_add_response (configNr,
sizeof (oid_supported_list) + sizeof(rndis_query_cmplt_type));
if (!r)
return -ENOMEM;
resp = (rndis_query_cmplt_type *) r->buf;
......
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment