Donate to e Foundation | Murena handsets with /e/OS | Own a part of Murena! Learn more

Commit c1f8ca1d authored by Jussi Kivilinna's avatar Jussi Kivilinna Committed by John W. Linville
Browse files

rndis_wlan: fix buffer overflow in rndis_query_oid 



rndis_query_oid overwrites *len which stores buffer size to return full size
of received command and then uses *len with memcpy to fill buffer with
command.

Ofcourse memcpy should be done before replacing buffer size.

Signed-off-by: default avatarJussi Kivilinna <jussi.kivilinna@mbnet.fi>
Signed-off-by: default avatarJohn W. Linville <linville@tuxdriver.com>
parent 841507f5

drivers/net/wireless/rndis_wlan.c

+3 −2
Original line number Diff line number Diff line
@@ -733,12 +733,13 @@ static int rndis_query_oid(struct usbnet *dev, __le32 oid, void *data, int *len) 
			le32_to_cpu(u.get_c->status));



	if (ret == 0) {

		memcpy(data, u.buf + le32_to_cpu(u.get_c->offset) + 8, *len);



		ret = le32_to_cpu(u.get_c->len);

		if (ret > *len)

			*len = ret;

		memcpy(data, u.buf + le32_to_cpu(u.get_c->offset) + 8, *len);

		ret = rndis_error_status(u.get_c->status);



		ret = rndis_error_status(u.get_c->status);

		if (ret < 0)

			devdbg(dev, "rndis_query_oid(%s): device returned "

				"error,  0x%08x (%d)", oid_to_string(oid),