usb_rndis: use the "data offset" field instead of hardcoding it

Not sure if other phones could use another value, but it's better to follow the spec. Also add some bounds checks with traces for now if we see something strange. Change-Id: I5c7bc37c4730e6a08bf0bf10fed975bf2012102e Reviewed-on: https://review.haiku-os.org/c/haiku/+/5376 Reviewed-by: waddlesplash <waddlesplash@gmail.com> Reviewed-by: Adrien Destugues <pulkomandy@pulkomandy.tk>
2022-06-10 21:37:25 +02:00 · 2022-06-10 21:37:25 +02:00 · 4dda1c0369
parent 802e16c55a
commit 4dda1c0369
1 changed files with 8 additions and 2 deletions
--- a/src/add-ons/kernel/drivers/network/ether/usb_rndis/RNDISDevice.cpp
+++ b/src/add-ons/kernel/drivers/network/ether/usb_rndis/RNDISDevice.cpp
@ -289,8 +289,13 @@ RNDISDevice::Read(uint8 *buffer, size_t *numBytes)
 			fActualLengthRead);
 	}

+	if (fReadHeader[2] + fReadHeader[3] > fReadHeader[1]) {
+		TRACE_ALWAYS("Received frame data goes past end of frame: %d + %d > %d", fReadHeader[2],
+			fReadHeader[3], fReadHeader[1]);
+	}
+
 	if (fReadHeader[4] != 0 || fReadHeader[5] != 0 || fReadHeader[6] != 0) {
-		TRACE_ALWAYS("Received frame has out of bound data: off %08" B_PRIx32 " len %08" B_PRIx32
+		TRACE_ALWAYS("Received frame has out of band data: off %08" B_PRIx32 " len %08" B_PRIx32
 			" count %08" B_PRIx32 "\n", fReadHeader[4], fReadHeader[5], fReadHeader[6]);
 	}

@ -304,7 +309,8 @@ RNDISDevice::Read(uint8 *buffer, size_t *numBytes)
 	}

 	*numBytes = fReadHeader[3];
-	memcpy(buffer, fReadHeader + 11, fReadHeader[3]);
+	int offset = fReadHeader[2] + 2 * sizeof(uint32);
+	memcpy(buffer, (uint8*)fReadHeader + offset, fReadHeader[3]);

 	TRACE("Received data packet len %08" B_PRIx32 " data [off %08" B_PRIx32 " len %08" B_PRIx32 "]\n",
 		fReadHeader[1], fReadHeader[2], fReadHeader[3]);