[PATCH] USB: Gadget RNDIS fix alloc bug. (buffer overflow)

Remote NDIS response to OID_GEN_SUPPORTED_LIST only allocated space for the data attached to the reply, and not the reply structure itself. This caused other kmalloc'd memory to be corrupted. Signed-off-by: Shaun Tancheff <shaun@tancheff.com> Signed-off-by: David Brownell <dbrownell@users.sourceforge.net> Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
2025-01-11 16:29:05 +00:00 · 2006-02-22 19:47:19 -08:00 · 2006-02-22 19:47:19 -08:00 · 8763716bfe
commit 8763716bfe
parent d5ec33490c
1 changed files with 7 additions and 4 deletions
--- a/drivers/usb/gadget/rndis.c
+++ b/drivers/usb/gadget/rndis.c
@ -853,11 +853,14 @@ static int rndis_query_response (int configNr, rndis_query_msg_type *buf)
 	// DEBUG("%s: OID = %08X\n", __FUNCTION__, cpu_to_le32(buf->OID));
 	if (!rndis_per_dev_params [configNr].dev) return -ENOTSUPP;
 	
-	/* 
-	 * we need more memory: 
-	 * oid_supported_list is the largest answer 
+	/*
+	 * we need more memory:
+	 * gen_ndis_query_resp expects enough space for
+	 * rndis_query_cmplt_type followed by data.
+	 * oid_supported_list is the largest data reply
 	 */
-	r = rndis_add_response (configNr, sizeof (oid_supported_list));
+	r = rndis_add_response (configNr,
+		sizeof (oid_supported_list) + sizeof(rndis_query_cmplt_type));
 	if (!r)
 		return -ENOMEM;
 	resp = (rndis_query_cmplt_type *) r->buf;