提交 c1f8ca1d 编写于 作者: J Jussi Kivilinna 提交者: John W. Linville

rndis_wlan: fix buffer overflow in rndis_query_oid

rndis_query_oid overwrites *len which stores buffer size to return full size
of received command and then uses *len with memcpy to fill buffer with
command.

Ofcourse memcpy should be done before replacing buffer size.
Signed-off-by: NJussi Kivilinna <jussi.kivilinna@mbnet.fi>
Signed-off-by: NJohn W. Linville <linville@tuxdriver.com>
上级 841507f5
......@@ -733,12 +733,13 @@ static int rndis_query_oid(struct usbnet *dev, __le32 oid, void *data, int *len)
le32_to_cpu(u.get_c->status));
if (ret == 0) {
memcpy(data, u.buf + le32_to_cpu(u.get_c->offset) + 8, *len);
ret = le32_to_cpu(u.get_c->len);
if (ret > *len)
*len = ret;
memcpy(data, u.buf + le32_to_cpu(u.get_c->offset) + 8, *len);
ret = rndis_error_status(u.get_c->status);
ret = rndis_error_status(u.get_c->status);
if (ret < 0)
devdbg(dev, "rndis_query_oid(%s): device returned "
"error, 0x%08x (%d)", oid_to_string(oid),
......
Markdown is supported
0% .
You are about to add 0 people to the discussion. Proceed with caution.
先完成此消息的编辑!
想要评论请 注册