rndis_wlan: fix buffer overflow in rndis_query_oid rndis_query_oid overwrites *len which stores buffer size to return full size of received command and then uses *len with memcpy to fill buffer with command. Ofcourse memcpy should be done before replacing buffer size. Signed-off-by: Jussi Kivilinna <jussi.kivilinna@mbnet.fi> Signed-off-by: John W. Linville <linville@tuxdriver.com>

commit: c1f8ca1d837148bf061d6ffa2038366e3cf0e4d7 [log] [tgz]
author: Jussi Kivilinna <jussi.kivilinna@mbnet.fi> Sun Nov 22 20:16:42 2009 +0200
committer: John W. Linville <linville@tuxdriver.com> Mon Nov 23 17:05:40 2009 -0500
tree: 99fca98ff500fedf95d68a0c6ae3772490d0d9ce
parent: 841507f5c1a5d2f196afb12e95eb11914f029832 [diff] [blame]
diff --git a/drivers/net/wireless/rndis_wlan.c b/drivers/net/wireless/rndis_wlan.c
index aa1880a..8b09b04 100644
--- a/drivers/net/wireless/rndis_wlan.c
+++ b/drivers/net/wireless/rndis_wlan.c

@@ -733,12 +733,13 @@
 			le32_to_cpu(u.get_c->status));
 
 	if (ret == 0) {
+		memcpy(data, u.buf + le32_to_cpu(u.get_c->offset) + 8, *len);
+
 		ret = le32_to_cpu(u.get_c->len);
 		if (ret > *len)
 			*len = ret;
-		memcpy(data, u.buf + le32_to_cpu(u.get_c->offset) + 8, *len);
-		ret = rndis_error_status(u.get_c->status);
 
+		ret = rndis_error_status(u.get_c->status);
 		if (ret < 0)
 			devdbg(dev, "rndis_query_oid(%s): device returned "
 				"error,  0x%08x (%d)", oid_to_string(oid),
commit	c1f8ca1d837148bf061d6ffa2038366e3cf0e4d7	[log] [tgz]
author	Jussi Kivilinna <jussi.kivilinna@mbnet.fi>	Sun Nov 22 20:16:42 2009 +0200
committer	John W. Linville <linville@tuxdriver.com>	Mon Nov 23 17:05:40 2009 -0500
tree	99fca98ff500fedf95d68a0c6ae3772490d0d9ce
parent	841507f5c1a5d2f196afb12e95eb11914f029832 [diff] [blame]