Donate to e Foundation | Murena handsets with /e/OS | Own a part of Murena! Learn more

This project is archived. Its data is read-only.

Commit 315b37ee authored Mar 06, 2014 by Subash Abhinov Kasiviswanathan

net: rmnet_data: modify 8-byte QoS Header



Clients consuming the 8-byte QoS header expect the flowID
in a different position in the header thus causing random address
dereference and a potential crash. Update the 8-byte QoS header
format structure as specified in the mandated QOS specification

CRs-Fixed: 625709
Change-Id: I58c662ff2f3adfe9584d19891339ea31ce0c8bd3
Signed-off-by: Subash Abhinov Kasiviswanathan <subashab@codeaurora.org>

parent 500bff85

include/uapi/linux/msm_rmnet.h

+2 −3

Original line number	Diff line number	Diff line
		@@ -138,9 +138,8 @@ struct QMI_QOS_HDR_S {

		/* QMI QoS 8-byte header. */
		struct qmi_qos_hdr8_s {
		uint8_t version_flags;
		uint8_t reserved[3];
		uint32_t flow_id;
		struct QMI_QOS_HDR_S hdr;
		uint8_t reserved[2];
		} __attribute((__packed__));

		#endif /* _UAPI_MSM_RMNET_H_ */

net/rmnet_data/rmnet_data_vnd.c

+3 −2

Original line number	Diff line number	Diff line
		@@ -93,9 +93,10 @@ static void rmnet_vnd_add_qos_header(struct sk_buff *skb,
		qmi8h = (struct qmi_qos_hdr8_s *)
		skb_push(skb, sizeof(struct qmi_qos_hdr8_s));
		/* Flags are 0 always */
		qmi8h->version_flags = 0;
		qmi8h->hdr.version = 0;
		qmi8h->hdr.flags = 0;
		memset(qmi8h->reserved, 0, sizeof(qmi8h->reserved));
		qmi8h->flow_id = skb->mark;
		qmi8h->hdr.flow_id = skb->mark;
		} else {
		LOGD("%s(): Bad QoS version configured\n", __func__);
		}