| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-Id: <20170422170306.11668-1-maksim.salau@gmail.com>
Date: Sat, 22 Apr 2017 20:03:06 +0300
From: Maksim Salau <maksim.salau@...il.com>
To: Kalle Valo <kvalo@...eaurora.org>,
"David S . Miller" <davem@...emloft.net>,
Wolfram Sang <wsa-dev@...g-engineering.com>,
Mugunthan V N <mugunthanvnm@...com>,
Florian Westphal <fw@...len.de>,
linux-wireless@...r.kernel.org, netdev@...r.kernel.org
Cc: Maksim Salau <maksim.salau@...il.com>
Subject: [PATCH] net: wireless: orinoco: usb: Fix buffer on stack
Allocate buffer on HEAP instead of STACK for a local variable
that is to be sent using usb_control_msg().
Signed-off-by: Maksim Salau <maksim.salau@...il.com>
---
drivers/net/wireless/intersil/orinoco/orinoco_usb.c | 21 +++++++++++++++++----
1 file changed, 17 insertions(+), 4 deletions(-)
diff --git a/drivers/net/wireless/intersil/orinoco/orinoco_usb.c b/drivers/net/wireless/intersil/orinoco/orinoco_usb.c
index bca6935..eb4528b 100644
--- a/drivers/net/wireless/intersil/orinoco/orinoco_usb.c
+++ b/drivers/net/wireless/intersil/orinoco/orinoco_usb.c
@@ -770,18 +770,31 @@ static int ezusb_submit_in_urb(struct ezusb_priv *upriv)
static inline int ezusb_8051_cpucs(struct ezusb_priv *upriv, int reset)
{
- u8 res_val = reset; /* avoid argument promotion */
+ int ret;
+ u8 *res_val = NULL;
if (!upriv->udev) {
err("%s: !upriv->udev", __func__);
return -EFAULT;
}
- return usb_control_msg(upriv->udev,
+
+ res_val = kmalloc(sizeof(*res_val), GFP_KERNEL);
+
+ if (!res_val)
+ return -ENOMEM;
+
+ *res_val = reset; /* avoid argument promotion */
+
+ ret = usb_control_msg(upriv->udev,
usb_sndctrlpipe(upriv->udev, 0),
EZUSB_REQUEST_FW_TRANS,
USB_TYPE_VENDOR | USB_RECIP_DEVICE |
- USB_DIR_OUT, EZUSB_CPUCS_REG, 0, &res_val,
- sizeof(res_val), DEF_TIMEOUT);
+ USB_DIR_OUT, EZUSB_CPUCS_REG, 0, res_val,
+ sizeof(*res_val), DEF_TIMEOUT);
+
+ kfree(res_val);
+
+ return ret;
}
static int ezusb_firmware_download(struct ezusb_priv *upriv,
--
2.9.3
Powered by blists - more mailing lists