Donate to e Foundation | Murena handsets with /e/OS | Own a part of Murena! Learn more

Commit 8763716b authored Feb 22, 2006 by Shaun Tancheff Committed by Greg Kroah-Hartman Feb 28, 2006

[PATCH] USB: Gadget RNDIS fix alloc bug. (buffer overflow)



Remote NDIS response to OID_GEN_SUPPORTED_LIST only allocated space
for the data attached to the reply, and not the reply structure
itself. This caused other kmalloc'd memory to be corrupted.

Signed-off-by: Shaun Tancheff <shaun@tancheff.com>
Signed-off-by: David Brownell <dbrownell@users.sourceforge.net>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>

parent d5ec3349

drivers/usb/gadget/rndis.c

+7 −4

Original line number	Diff line number	Diff line
		@@ -855,9 +855,12 @@ static int rndis_query_response (int configNr, rndis_query_msg_type *buf)

		/*
		* we need more memory:
		* oid_supported_list is the largest answer
		* gen_ndis_query_resp expects enough space for
		* rndis_query_cmplt_type followed by data.
		* oid_supported_list is the largest data reply
		*/
		r = rndis_add_response (configNr, sizeof (oid_supported_list));
		r = rndis_add_response (configNr,
		sizeof (oid_supported_list) + sizeof(rndis_query_cmplt_type));
		if (!r)
		return -ENOMEM;
		resp = (rndis_query_cmplt_type *) r->buf;