Remote NDIS response to OID_GEN_SUPPORTED_LIST only allocated space
for the data attached to the reply, and not the reply structure
itself. This caused other kmalloc'd memory to be corrupted.
Signed-off-by: Shaun Tancheff <[EMAIL PROTECTED]>
Signed-off-by: David Brownell <[EMAIL PROTECTED]>
Signed-off-by: Greg Kroah-Hartman <[EMAIL PROTECTED]>
---
drivers/usb/gadget/rndis.c | 11 +++++++----
1 files changed, 7 insertions(+), 4 deletions(-)
8763716bfe4d8a16bef28c9947cf9d799b1796a5
diff --git a/drivers/usb/gadget/rndis.c b/drivers/usb/gadget/rndis.c
index 9689efe..6d6eaad 100644
--- a/drivers/usb/gadget/rndis.c
+++ b/drivers/usb/gadget/rndis.c
@@ -853,11 +853,14 @@ static int rndis_query_response (int con
// DEBUG("%s: OID = %08X\n", __FUNCTION__, cpu_to_le32(buf->OID));
if (!rndis_per_dev_params [configNr].dev) return -ENOTSUPP;
- /*
- * we need more memory:
- * oid_supported_list is the largest answer
+ /*
+ * we need more memory:
+ * gen_ndis_query_resp expects enough space for
+ * rndis_query_cmplt_type followed by data.
+ * oid_supported_list is the largest data reply
*/
- r = rndis_add_response (configNr, sizeof (oid_supported_list));
+ r = rndis_add_response (configNr,
+ sizeof (oid_supported_list) + sizeof(rndis_query_cmplt_type));
if (!r)
return -ENOMEM;
resp = (rndis_query_cmplt_type *) r->buf;
-------------------------------------------------------
This SF.Net email is sponsored by xPML, a groundbreaking scripting language
that extends applications into web and mobile media. Attend the live webcast
and join the prime developer group breaking into this new coding territory!
http://sel.as-us.falkag.net/sel?cmd=lnk&kid=110944&bid=241720&dat=121642
_______________________________________________
linux-usb-devel@lists.sourceforge.net
To unsubscribe, use the last form field at:
https://lists.sourceforge.net/lists/listinfo/linux-usb-devel
