Donate to e Foundation | Murena handsets with /e/OS | Own a part of Murena! Learn more

Commit b7302ca0 authored by Petko Manolov's avatar Petko Manolov Committed by David S. Miller
Browse files

pegasus: fixes URB buffer allocation size; 



usb_fill_bulk_urb() receives buffer length parameter 8 bytes larger
than what's allocated by alloc_skb(); This seems to be a problem with
older (pegasus usb-1.1) devices, which may silently return more data
than the maximal packet length.

Reported-by: default avatarLincoln Ramsay <a1291762@gmail.com>
Signed-off-by: default avatarPetko Manolov <petkan@mip-labs.com>
Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
parent 6c76f3d2

drivers/net/usb/pegasus.c

+3 −3
Original line number Diff line number Diff line
@@ -528,7 +528,7 @@ static void read_bulk_callback(struct urb *urb) 
goon:

	usb_fill_bulk_urb(pegasus->rx_urb, pegasus->usb,

			  usb_rcvbulkpipe(pegasus->usb, 1),

			  pegasus->rx_skb->data, PEGASUS_MTU + 8,

			  pegasus->rx_skb->data, PEGASUS_MTU,

			  read_bulk_callback, pegasus);

	rx_status = usb_submit_urb(pegasus->rx_urb, GFP_ATOMIC);

	if (rx_status == -ENODEV)
@@ -569,7 +569,7 @@ static void rx_fixup(unsigned long data) 
	}

	usb_fill_bulk_urb(pegasus->rx_urb, pegasus->usb,

			  usb_rcvbulkpipe(pegasus->usb, 1),

			  pegasus->rx_skb->data, PEGASUS_MTU + 8,

			  pegasus->rx_skb->data, PEGASUS_MTU,

			  read_bulk_callback, pegasus);

try_again:

	status = usb_submit_urb(pegasus->rx_urb, GFP_ATOMIC);
@@ -823,7 +823,7 @@ static int pegasus_open(struct net_device *net) 


	usb_fill_bulk_urb(pegasus->rx_urb, pegasus->usb,

			  usb_rcvbulkpipe(pegasus->usb, 1),

			  pegasus->rx_skb->data, PEGASUS_MTU + 8,

			  pegasus->rx_skb->data, PEGASUS_MTU,

			  read_bulk_callback, pegasus);

	if ((res = usb_submit_urb(pegasus->rx_urb, GFP_KERNEL))) {

		if (res == -ENODEV)