From 4dda1c0369c8b53d7dc5906b332bee14c3746c18 Mon Sep 17 00:00:00 2001 From: PulkoMandy Date: Fri, 10 Jun 2022 21:37:25 +0200 Subject: [PATCH] usb_rndis: use the "data offset" field instead of hardcoding it Not sure if other phones could use another value, but it's better to follow the spec. Also add some bounds checks with traces for now if we see something strange. Change-Id: I5c7bc37c4730e6a08bf0bf10fed975bf2012102e Reviewed-on: https://review.haiku-os.org/c/haiku/+/5376 Reviewed-by: waddlesplash Reviewed-by: Adrien Destugues --- .../drivers/network/ether/usb_rndis/RNDISDevice.cpp | 10 ++++++++-- 1 file changed, 8 insertions(+), 2 deletions(-) diff --git a/src/add-ons/kernel/drivers/network/ether/usb_rndis/RNDISDevice.cpp b/src/add-ons/kernel/drivers/network/ether/usb_rndis/RNDISDevice.cpp index b23b5ea6cb..1b17befba3 100644 --- a/src/add-ons/kernel/drivers/network/ether/usb_rndis/RNDISDevice.cpp +++ b/src/add-ons/kernel/drivers/network/ether/usb_rndis/RNDISDevice.cpp @@ -289,8 +289,13 @@ RNDISDevice::Read(uint8 *buffer, size_t *numBytes) fActualLengthRead); } + if (fReadHeader[2] + fReadHeader[3] > fReadHeader[1]) { + TRACE_ALWAYS("Received frame data goes past end of frame: %d + %d > %d", fReadHeader[2], + fReadHeader[3], fReadHeader[1]); + } + if (fReadHeader[4] != 0 || fReadHeader[5] != 0 || fReadHeader[6] != 0) { - TRACE_ALWAYS("Received frame has out of bound data: off %08" B_PRIx32 " len %08" B_PRIx32 + TRACE_ALWAYS("Received frame has out of band data: off %08" B_PRIx32 " len %08" B_PRIx32 " count %08" B_PRIx32 "\n", fReadHeader[4], fReadHeader[5], fReadHeader[6]); } @@ -304,7 +309,8 @@ RNDISDevice::Read(uint8 *buffer, size_t *numBytes) } *numBytes = fReadHeader[3]; - memcpy(buffer, fReadHeader + 11, fReadHeader[3]); + int offset = fReadHeader[2] + 2 * sizeof(uint32); + memcpy(buffer, (uint8*)fReadHeader + offset, fReadHeader[3]); TRACE("Received data packet len %08" B_PRIx32 " data [off %08" B_PRIx32 " len %08" B_PRIx32 "]\n", fReadHeader[1], fReadHeader[2], fReadHeader[3]);