[PATCH] USB: Gadget RNDIS fix alloc bug. (buffer overflow)

Remote NDIS response to OID_GEN_SUPPORTED_LIST only allocated space for the data attached to the reply, and not the reply structure itself. This caused other kmalloc'd memory to be corrupted. Signed-off-by: N Shaun Tancheff <shaun@tancheff.com> Signed-off-by: N David Brownell <dbrownell@users.sourceforge.net> Signed-off-by: N Greg Kroah-Hartman <gregkh@suse.de>

[PATCH] USB: Gadget RNDIS fix alloc bug. (buffer overflow)
Remote NDIS response to OID_GEN_SUPPORTED_LIST only allocated space for the data attached to the reply, and not the reply structure itself. This caused other kmalloc'd memory to be corrupted. Signed-off-by: N Shaun Tancheff <shaun@tancheff.com> Signed-off-by: N David Brownell <dbrownell@users.sourceforge.net> Signed-off-by: N Greg Kroah-Hartman <gregkh@suse.de>
8763716b · Shaun Tancheff · Greg Kroah-Hartman · d5ec3349 · 8763716b
隐藏空白更改
内联并排

Showing with 7 addition and 4 deletion

drivers/usb/gadget/rndis.c drivers/usb/gadget/rndis.c +7 -4

未找到文件。
--- a/drivers/usb/gadget/rndis.c
+++ b/drivers/usb/gadget/rndis.c
@@ -853,11 +853,14 @@ static int rndis_query_response (int configNr, rndis_query_msg_type *buf)
 	// DEBUG("%s: OID = %08X\n", __FUNCTION__, cpu_to_le32(buf->OID));
 	if (!rndis_per_dev_params [configNr].dev) return -ENOTSUPP;
 	
-	/* 
-	 * we need more memory: 
-	 * oid_supported_list is the largest answer 
+	/*
+	 * we need more memory:
+	 * gen_ndis_query_resp expects enough space for
+	 * rndis_query_cmplt_type followed by data.
+	 * oid_supported_list is the largest data reply
 	 */
-	r = rndis_add_response (configNr, sizeof (oid_supported_list));
+	r = rndis_add_response (configNr,
+		sizeof (oid_supported_list) + sizeof(rndis_query_cmplt_type));
 	if (!r)
 		return -ENOMEM;
 	resp = (rndis_query_cmplt_type *) r->buf;