diff options
author | Greg Kroah-Hartman <gregkh@suse.de> | 2006-02-22 21:16:30 -0800 |
---|---|---|
committer | Greg Kroah-Hartman <gregkh@suse.de> | 2006-02-22 21:16:30 -0800 |
commit | d167529dacbad453f1449e5e78b4857c6e687bf0 (patch) | |
tree | 651bab959bbc0204bef30d17f8368f100f6a8421 /usb | |
parent | eb6b406dcc7096974eec722b436e0f05eca353a4 (diff) | |
download | patches-d167529dacbad453f1449e5e78b4857c6e687bf0.tar.gz |
more pci usb and spi patches
Diffstat (limited to 'usb')
-rw-r--r-- | usb/usb-gadget-driver-section-fixups.patch | 4 | ||||
-rw-r--r-- | usb/usb-gadget-rndis-fix-alloc-bug.patch | 43 |
2 files changed, 45 insertions, 2 deletions
diff --git a/usb/usb-gadget-driver-section-fixups.patch b/usb/usb-gadget-driver-section-fixups.patch index 8d30bb47b4aa9..ff346c59f1164 100644 --- a/usb/usb-gadget-driver-section-fixups.patch +++ b/usb/usb-gadget-driver-section-fixups.patch @@ -104,7 +104,7 @@ Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de> .setup = gs_setup, .disconnect = gs_disconnect, .driver = { -@@ -1412,7 +1412,7 @@ requeue: +@@ -1413,7 +1413,7 @@ requeue: * Called on module load. Allocates and initializes the device * structure and a control request. */ @@ -113,7 +113,7 @@ Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de> { int ret; struct usb_ep *ep; -@@ -1537,7 +1537,7 @@ autoconf_fail: +@@ -1538,7 +1538,7 @@ autoconf_fail: * Called on module unload. Frees the control request and device * structure. */ diff --git a/usb/usb-gadget-rndis-fix-alloc-bug.patch b/usb/usb-gadget-rndis-fix-alloc-bug.patch new file mode 100644 index 0000000000000..0b9e9a26f47a5 --- /dev/null +++ b/usb/usb-gadget-rndis-fix-alloc-bug.patch @@ -0,0 +1,43 @@ +From david-b@pacbell.net Wed Feb 22 19:47:23 2006 +From: Shaun Tancheff <shaun@tancheff.com> +Subject: USB: Gadget RNDIS fix alloc bug. (buffer overflow) +Date: Wed, 22 Feb 2006 19:47:19 -0800 +To: Greg KH <gregkh@suse.de> +Cc: Robert Schwebel <r.schwebel@pengutronix.de>, Shaun Tancheff <shaun@tancheff.com> +Content-Disposition: inline +Message-Id: <200602221947.20100.david-b@pacbell.net> + +From: Shaun Tancheff <shaun@tancheff.com> + +Remote NDIS response to OID_GEN_SUPPORTED_LIST only allocated space +for the data attached to the reply, and not the reply structure +itself. This caused other kmalloc'd memory to be corrupted. + +Signed-off-by: Shaun Tancheff <shaun@tancheff.com> +Signed-off-by: David Brownell <dbrownell@users.sourceforge.net> +Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de> +--- + drivers/usb/gadget/rndis.c | 11 +++++++---- + 1 file changed, 7 insertions(+), 4 deletions(-) + +--- gregkh-2.6.orig/drivers/usb/gadget/rndis.c ++++ gregkh-2.6/drivers/usb/gadget/rndis.c +@@ -853,11 +853,14 @@ static int rndis_query_response (int con + // DEBUG("%s: OID = %08X\n", __FUNCTION__, cpu_to_le32(buf->OID)); + if (!rndis_per_dev_params [configNr].dev) return -ENOTSUPP; + +- /* +- * we need more memory: +- * oid_supported_list is the largest answer ++ /* ++ * we need more memory: ++ * gen_ndis_query_resp expects enough space for ++ * rndis_query_cmplt_type followed by data. ++ * oid_supported_list is the largest data reply + */ +- r = rndis_add_response (configNr, sizeof (oid_supported_list)); ++ r = rndis_add_response (configNr, ++ sizeof (oid_supported_list) + sizeof(rndis_query_cmplt_type)); + if (!r) + return -ENOMEM; + resp = (rndis_query_cmplt_type *) r->buf; |