From patchwork Thu Mar 4 16:27:02 2010 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Jussi Kivilinna X-Patchwork-Id: 83629 Received: from vger.kernel.org (vger.kernel.org [209.132.180.67]) by demeter.kernel.org (8.14.3/8.14.3) with ESMTP id o24GR6wd012615 for ; Thu, 4 Mar 2010 16:27:06 GMT Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1754750Ab0CDQ1F (ORCPT ); Thu, 4 Mar 2010 11:27:05 -0500 Received: from sypressi.dnainternet.net ([83.102.40.135]:60285 "EHLO sypressi.dnainternet.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1753202Ab0CDQ1E (ORCPT ); Thu, 4 Mar 2010 11:27:04 -0500 Received: from localhost (localhost [127.0.0.1]) by sypressi.dnainternet.net (Postfix) with ESMTP id 01803C6062; Thu, 4 Mar 2010 18:27:03 +0200 (EET) X-Virus-Scanned: DNA Postiturva at dnainternet.net X-Spam-Flag: NO X-Spam-Score: 1.789 X-Spam-Level: * X-Spam-Status: No, score=1.789 tagged_above=-9999 required=6 tests=[AWL=-0.913, HELO_LH_HOME=2.602, RDNS_DYNAMIC=0.1] Received: from sypressi.dnainternet.net ([83.102.40.135]) by localhost (sypressi.dnainternet.net [127.0.0.1]) (amavisd-new, port 10041) with ESMTP id Mx1NBUz1zl9S; Thu, 4 Mar 2010 18:27:02 +0200 (EET) Received: from kirsikkapuu.dnainternet.net (kirsikkapuu.dnainternet.net [83.102.40.214]) by sypressi.dnainternet.net (Postfix) with ESMTP id C9D26C615C; Thu, 4 Mar 2010 18:27:02 +0200 (EET) Received: from fate.lan (dyn2-85-23-163-23.psoas.suomi.net [85.23.163.23]) by kirsikkapuu.dnainternet.net (Postfix) with ESMTP id B4AA47F003; Thu, 4 Mar 2010 18:27:02 +0200 (EET) From: Jussi Kivilinna Subject: [PATCH 1/4 v2] rndis_wlan: copy only useful data from rndis_command respond To: "John W. Linville" Cc: linux-wireless@vger.kernel.org Date: Thu, 04 Mar 2010 18:27:02 +0200 Message-ID: <20100304162657.2609.64867.stgit@fate.lan> User-Agent: StGIT/0.14.2 MIME-Version: 1.0 Sender: linux-wireless-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-wireless@vger.kernel.org X-Greylist: IP, sender and recipient auto-whitelisted, not delayed by milter-greylist-4.2.3 (demeter.kernel.org [140.211.167.41]); Thu, 04 Mar 2010 16:27:06 +0000 (UTC) diff --git a/drivers/net/wireless/rndis_wlan.c b/drivers/net/wireless/rndis_wlan.c index 9f6d6bf..a4f70de 100644 --- a/drivers/net/wireless/rndis_wlan.c +++ b/drivers/net/wireless/rndis_wlan.c @@ -704,6 +704,7 @@ static int rndis_query_oid(struct usbnet *dev, __le32 oid, void *data, int *len) struct rndis_query_c *get_c; } u; int ret, buflen; + int resplen, respoffs, copylen; buflen = *len + sizeof(*u.get); if (buflen < CONTROL_BUFFER_SIZE) @@ -733,11 +734,34 @@ static int rndis_query_oid(struct usbnet *dev, __le32 oid, void *data, int *len) le32_to_cpu(u.get_c->status)); if (ret == 0) { - memcpy(data, u.buf + le32_to_cpu(u.get_c->offset) + 8, *len); + resplen = le32_to_cpu(u.get_c->len); + respoffs = le32_to_cpu(u.get_c->offset) + 8; - ret = le32_to_cpu(u.get_c->len); - if (ret > *len) - *len = ret; + if (respoffs > buflen) { + /* Device returned data offset outside buffer, error. */ + netdev_dbg(dev->net, "%s(%s): received invalid " + "data offset: %d > %d\n", __func__, + oid_to_string(oid), respoffs, buflen); + + ret = -EINVAL; + goto exit_unlock; + } + + if ((resplen + respoffs) > buflen) { + /* Device would have returned more data if buffer would + * have been big enough. Copy just the bits that we got. + */ + copylen = buflen - respoffs; + } else { + copylen = resplen; + } + + if (copylen > *len) + copylen = *len; + + memcpy(data, u.buf + respoffs, copylen); + + *len = resplen; ret = rndis_error_status(u.get_c->status); if (ret < 0) @@ -746,6 +770,7 @@ static int rndis_query_oid(struct usbnet *dev, __le32 oid, void *data, int *len) le32_to_cpu(u.get_c->status), ret); } +exit_unlock: mutex_unlock(&priv->command_lock); if (u.buf != priv->command_buffer)