From: Jussi Kivilinna Date: Sun, 22 Nov 2009 18:16:42 +0000 (+0200) Subject: rndis_wlan: fix buffer overflow in rndis_query_oid X-Git-Tag: firefly_0821_release~10186^2~2122 X-Git-Url: http://demsky.eecs.uci.edu/git/?a=commitdiff_plain;h=d0fe6fb19bcc6d7483c0705d5ae05c75ddfaee59;p=firefly-linux-kernel-4.4.55.git rndis_wlan: fix buffer overflow in rndis_query_oid commit c1f8ca1d837148bf061d6ffa2038366e3cf0e4d7 upstream. rndis_query_oid overwrites *len which stores buffer size to return full size of received command and then uses *len with memcpy to fill buffer with command. Ofcourse memcpy should be done before replacing buffer size. Signed-off-by: Jussi Kivilinna Signed-off-by: John W. Linville Signed-off-by: Greg Kroah-Hartman --- diff --git a/drivers/net/wireless/rndis_wlan.c b/drivers/net/wireless/rndis_wlan.c index aa1880add186..8b09b043bc4e 100644 --- a/drivers/net/wireless/rndis_wlan.c +++ b/drivers/net/wireless/rndis_wlan.c @@ -733,12 +733,13 @@ static int rndis_query_oid(struct usbnet *dev, __le32 oid, void *data, int *len) le32_to_cpu(u.get_c->status)); if (ret == 0) { + memcpy(data, u.buf + le32_to_cpu(u.get_c->offset) + 8, *len); + ret = le32_to_cpu(u.get_c->len); if (ret > *len) *len = ret; - memcpy(data, u.buf + le32_to_cpu(u.get_c->offset) + 8, *len); - ret = rndis_error_status(u.get_c->status); + ret = rndis_error_status(u.get_c->status); if (ret < 0) devdbg(dev, "rndis_query_oid(%s): device returned " "error, 0x%08x (%d)", oid_to_string(oid),