[056/145] rndis_wlan: fix buffer overflow in rndis_query_oid
From: Greg KH
Date: Fri Mar 12 2010 - 19:33:17 EST
2.6.32-stable review patch. If anyone has any objections, please let me know.
----------------
From: Jussi Kivilinna <jussi.kivilinna@xxxxxxxx>
commit c1f8ca1d837148bf061d6ffa2038366e3cf0e4d7 upstream.
rndis_query_oid overwrites *len which stores buffer size to return full size
of received command and then uses *len with memcpy to fill buffer with
command.
Ofcourse memcpy should be done before replacing buffer size.
Signed-off-by: Jussi Kivilinna <jussi.kivilinna@xxxxxxxx>
Signed-off-by: John W. Linville <linville@xxxxxxxxxxxxx>
Signed-off-by: Greg Kroah-Hartman <gregkh@xxxxxxx>
---
drivers/net/wireless/rndis_wlan.c | 5 +++--
1 file changed, 3 insertions(+), 2 deletions(-)
--- a/drivers/net/wireless/rndis_wlan.c
+++ b/drivers/net/wireless/rndis_wlan.c
@@ -733,12 +733,13 @@ static int rndis_query_oid(struct usbnet
le32_to_cpu(u.get_c->status));
if (ret == 0) {
+ memcpy(data, u.buf + le32_to_cpu(u.get_c->offset) + 8, *len);
+
ret = le32_to_cpu(u.get_c->len);
if (ret > *len)
*len = ret;
- memcpy(data, u.buf + le32_to_cpu(u.get_c->offset) + 8, *len);
- ret = rndis_error_status(u.get_c->status);
+ ret = rndis_error_status(u.get_c->status);
if (ret < 0)
devdbg(dev, "rndis_query_oid(%s): device returned "
"error, 0x%08x (%d)", oid_to_string(oid),
--
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at http://vger.kernel.org/majordomo-info.html
Please read the FAQ at http://www.tux.org/lkml/