From: Shaun Tancheff <[EMAIL PROTECTED]>
Remote NDIS response to OID_GEN_SUPPORTED_LIST only allocated space
for the data attached to the reply, and not the reply structure
itself. This caused
other kmalloc'd memory to be corrupted.
Signed-off-by: Shaun Tancheff <[EMAIL PROTECTED]>
---
Caused oops on iMX21.
diff -urpN linux-2.6.14.5.orig/drivers/usb/gadget/rndis.c
linux-2.6.14.5/drivers/usb/gadget/rndis.c
--- linux-2.6.14.5.orig/drivers/usb/gadget/rndis.c 2006-02-21
18:59:48.000000000 -0600
+++ linux-2.6.14.5/drivers/usb/gadget/rndis.c 2006-02-21
18:10:13.000000000 -0600
@@ -856,9 +856,12 @@ static int rndis_query_response (int con
/*
* we need more memory:
- * oid_supported_list is the largest answer
+ * gen_ndis_query_resp expects enough space for
+ * rndis_query_cmplt_type followed by data.
+ * oid_supported_list is the largest data reply
*/
- r = rndis_add_response (configNr, sizeof (oid_supported_list));
+ r = rndis_add_response (configNr,
+ sizeof (oid_supported_list) + sizeof(rndis_query_cmplt_type));
if (!r)
return -ENOMEM;
resp = (rndis_query_cmplt_type *) r->buf;
-------------------------------------------------------
This SF.net email is sponsored by: Splunk Inc. Do you grep through log files
for problems? Stop! Download the new AJAX search engine that makes
searching your log files as easy as surfing the web. DOWNLOAD SPLUNK!
http://sel.as-us.falkag.net/sel?cmd=lnk&kid�3432&bid#0486&dat�1642
_______________________________________________
linux-usb-devel@lists.sourceforge.net
To unsubscribe, use the last form field at:
https://lists.sourceforge.net/lists/listinfo/linux-usb-devel
