首页 发现 帮助
注册 登录
phyus
/
linux-vybrid_public
8
0
派生 0
文件 工单管理 0 合并请求 0 Wiki
浏览代码

rndis_wlan: copy only useful data from rndis_command respond

rndis_query_oid() uses full output buffer size to copy response buffer
from rndis_command()/device. This doesn't cause problems as response buffer
is sized based on output buffer but does copy extra unset bytes.
So change rndis_query_oid() so that only meaningful bytes are being copied.

Also in case of malfunctioning device/cable/etc returned data offset from
device might be wrong so bound check memory access correctly, so add
checks for this.

v2: fixed to use new netdev_dbg/warn/etc instead of old devdbg/warn/etc

Signed-off-by: Jussi Kivilinna <jussi.kivilinna@mbnet.fi>
Signed-off-by: John W. Linville <linville@tuxdriver.com>
Jussi Kivilinna 15 年之前
父节点
eae44756d6
当前提交
80f8c5b434
共有 1 个文件被更改,包括 29 次插入4 次删除
合并视图 显示文件统计
  1. 29 4
      drivers/net/wireless/rndis_wlan.c

+ 29 - 4
drivers/net/wireless/rndis_wlan.c
查看文件 

@@ -704,6 +704,7 @@ static int rndis_query_oid(struct usbnet *dev, __le32 oid, void *data, int *len)
 
 		struct rndis_query_c	*get_c;
 
 		struct rndis_query_c	*get_c;
 
 	} u;
 
 	} u;
 
 	int ret, buflen;
 
 	int ret, buflen;
 
+	int resplen, respoffs, copylen;
 
 
 
 	buflen = *len + sizeof(*u.get);
 
 	buflen = *len + sizeof(*u.get);
 
 	if (buflen < CONTROL_BUFFER_SIZE)
 
 	if (buflen < CONTROL_BUFFER_SIZE)
 
@@ -733,11 +734,34 @@ static int rndis_query_oid(struct usbnet *dev, __le32 oid, void *data, int *len)
 
 			   le32_to_cpu(u.get_c->status));
 
 			   le32_to_cpu(u.get_c->status));
 
 
 
 	if (ret == 0) {
 
 	if (ret == 0) {
 
-		memcpy(data, u.buf + le32_to_cpu(u.get_c->offset) + 8, *len);
 
+		resplen = le32_to_cpu(u.get_c->len);
 
+		respoffs = le32_to_cpu(u.get_c->offset) + 8;
 
 
 
-		ret = le32_to_cpu(u.get_c->len);
 
-		if (ret > *len)
 
-			*len = ret;
 
+		if (respoffs > buflen) {
 
+			/* Device returned data offset outside buffer, error. */
 
+			netdev_dbg(dev->net, "%s(%s): received invalid "
 
+				"data offset: %d > %d\n", __func__,
 
+				oid_to_string(oid), respoffs, buflen);
 
+
 
+			ret = -EINVAL;
 
+			goto exit_unlock;
 
+		}
 
+
 
+		if ((resplen + respoffs) > buflen) {
 
+			/* Device would have returned more data if buffer would
 
+			 * have been big enough. Copy just the bits that we got.
 
+			 */
 
+			copylen = buflen - respoffs;
 
+		} else {
 
+			copylen = resplen;
 
+		}
 
+
 
+		if (copylen > *len)
 
+			copylen = *len;
 
+
 
+		memcpy(data, u.buf + respoffs, copylen);
 
+
 
+		*len = resplen;
 
 
 
 		ret = rndis_error_status(u.get_c->status);
 
 		ret = rndis_error_status(u.get_c->status);
 
 		if (ret < 0)
 
 		if (ret < 0)
 
@@ -746,6 +770,7 @@ static int rndis_query_oid(struct usbnet *dev, __le32 oid, void *data, int *len)
 
 				   le32_to_cpu(u.get_c->status), ret);
 
 				   le32_to_cpu(u.get_c->status), ret);
 
 	}
 
 	}
 
 
 
+exit_unlock:
 
 	mutex_unlock(&priv->command_lock);
 
 	mutex_unlock(&priv->command_lock);
 
 
 
 	if (u.buf != priv->command_buffer)
 
 	if (u.buf != priv->command_buffer)