From david-b@pacbell.net Wed Feb 22 19:47:23 2006 From: Shaun Tancheff Subject: USB: Gadget RNDIS fix alloc bug. (buffer overflow) Date: Wed, 22 Feb 2006 19:47:19 -0800 To: Greg KH Cc: Robert Schwebel , Shaun Tancheff Content-Disposition: inline Message-Id: <200602221947.20100.david-b@pacbell.net> From: Shaun Tancheff Remote NDIS response to OID_GEN_SUPPORTED_LIST only allocated space for the data attached to the reply, and not the reply structure itself. This caused other kmalloc'd memory to be corrupted. Signed-off-by: Shaun Tancheff Signed-off-by: David Brownell Signed-off-by: Greg Kroah-Hartman --- drivers/usb/gadget/rndis.c | 11 +++++++---- 1 file changed, 7 insertions(+), 4 deletions(-) --- gregkh-2.6.orig/drivers/usb/gadget/rndis.c +++ gregkh-2.6/drivers/usb/gadget/rndis.c @@ -853,11 +853,14 @@ static int rndis_query_response (int con // DEBUG("%s: OID = %08X\n", __FUNCTION__, cpu_to_le32(buf->OID)); if (!rndis_per_dev_params [configNr].dev) return -ENOTSUPP; - /* - * we need more memory: - * oid_supported_list is the largest answer + /* + * we need more memory: + * gen_ndis_query_resp expects enough space for + * rndis_query_cmplt_type followed by data. + * oid_supported_list is the largest data reply */ - r = rndis_add_response (configNr, sizeof (oid_supported_list)); + r = rndis_add_response (configNr, + sizeof (oid_supported_list) + sizeof(rndis_query_cmplt_type)); if (!r) return -ENOMEM; resp = (rndis_query_cmplt_type *) r->buf;