rndis_wlan: fix buffer overflow in rndis_query_oid

rndis_query_oid overwrites *len which stores buffer size to return full size
of received command and then uses *len with memcpy to fill buffer with
command.

Ofcourse memcpy should be done before replacing buffer size.

Signed-off-by: Jussi Kivilinna <jussi.kivilinna@mbnet.fi>
Signed-off-by: John W. Linville <linville@tuxdriver.com>

diff --git a/drivers/net/wireless/rndis_wlan.c b/drivers/net/wireless/rndis_wlan.c
index aa1880add186d63e48ab95d6126d760957abf4a3..8b09b043bc4e9e5951ffad6cd3d72375c66333f5 100644 (file)
--- a/drivers/net/wireless/rndis_wlan.c
+++ b/drivers/net/wireless/rndis_wlan.c
@@ -733,12 +733,13 @@ static int rndis_query_oid(struct usbnet *dev, __le32 oid, void *data, int *len)
                        le32_to_cpu(u.get_c->status));
 
        if (ret == 0) {
+               memcpy(data, u.buf + le32_to_cpu(u.get_c->offset) + 8, *len);
+
                ret = le32_to_cpu(u.get_c->len);
                if (ret > *len)
                        *len = ret;
-               memcpy(data, u.buf + le32_to_cpu(u.get_c->offset) + 8, *len);
-               ret = rndis_error_status(u.get_c->status);
 
+               ret = rndis_error_status(u.get_c->status);
                if (ret < 0)
                        devdbg(dev, "rndis_query_oid(%s): device returned "
                                "error,  0x%08x (%d)", oid_to_string(oid),