Hi,
I found a memory overwrite causing a crash when using uqmi and
qmi-via-mbim such as:
uqmi -m -d /dev/cdc-wdm0 --get-signal-info
The problem is missing space for mbim header, which is assumed in
qmi_request_start():
if (qmi->is_mbim) {
buf -= sizeof(struct mbim_command_message);
I have fixed it by added a new buffer "buf_" and set the original
"buf" to point inside "buf_"
/Mogens
Author: Mogens Lauridsen <mlaurid...@gmail.com>
Date: Tue Nov 22 12:28:25 2016 +0100
Fixing memoryoverwrite in case qmi-via-mbim.
diff --git a/commands.c b/commands.c
index 869ca7c..fa159fc 100644
--- a/commands.c
+++ b/commands.c
@@ -29,6 +29,7 @@
#include <libubox/blobmsg_json.h>
#include "uqmi.h"
+#include "mbim.h"
#include "commands.h"
static struct blob_buf status;
@@ -205,7 +206,9 @@ static void uqmi_print_result(struct blob_attr *data)
static bool __uqmi_run_commands(struct qmi_dev *qmi, bool option)
{
- static char buf[2048];
+ /* Make space for mbim header in case of qmi-via-mbim */
+ static char buf_[2048 + sizeof(struct mbim_command_message)];
+ char *buf = buf_ + sizeof(struct mbim_command_message);
static struct qmi_request req;
int i;
_______________________________________________
Lede-dev mailing list
Lede-dev@lists.infradead.org
http://lists.infradead.org/mailman/listinfo/lede-dev
