提交 8763716b 编写于 作者: S Shaun Tancheff 提交者: Greg Kroah-Hartman

[PATCH] USB: Gadget RNDIS fix alloc bug. (buffer overflow)

Remote NDIS response to OID_GEN_SUPPORTED_LIST only allocated space
for the data attached to the reply, and not the reply structure
itself. This caused other kmalloc'd memory to be corrupted.
Signed-off-by: NShaun Tancheff <shaun@tancheff.com>
Signed-off-by: NDavid Brownell <dbrownell@users.sourceforge.net>
Signed-off-by: NGreg Kroah-Hartman <gregkh@suse.de>
上级 d5ec3349
...@@ -853,11 +853,14 @@ static int rndis_query_response (int configNr, rndis_query_msg_type *buf) ...@@ -853,11 +853,14 @@ static int rndis_query_response (int configNr, rndis_query_msg_type *buf)
// DEBUG("%s: OID = %08X\n", __FUNCTION__, cpu_to_le32(buf->OID)); // DEBUG("%s: OID = %08X\n", __FUNCTION__, cpu_to_le32(buf->OID));
if (!rndis_per_dev_params [configNr].dev) return -ENOTSUPP; if (!rndis_per_dev_params [configNr].dev) return -ENOTSUPP;
/* /*
* we need more memory: * we need more memory:
* oid_supported_list is the largest answer * gen_ndis_query_resp expects enough space for
* rndis_query_cmplt_type followed by data.
* oid_supported_list is the largest data reply
*/ */
r = rndis_add_response (configNr, sizeof (oid_supported_list)); r = rndis_add_response (configNr,
sizeof (oid_supported_list) + sizeof(rndis_query_cmplt_type));
if (!r) if (!r)
return -ENOMEM; return -ENOMEM;
resp = (rndis_query_cmplt_type *) r->buf; resp = (rndis_query_cmplt_type *) r->buf;
......
Markdown is supported
0% .
You are about to add 0 people to the discussion. Proceed with caution.
先完成此消息的编辑!
想要评论请 注册