Evan Green bf8035f68b watch: Fix buffer overflow
diag_ffs_recv copies mbuf->offset bytes into a fixed 16k buffer.
watch_handle_eventfd sets pending_aio->offset to ev->res, assuming
that ev->res represents the number of bytes read. But res can be
negative in error cases. This causes diag_ffs_recv to copy a very
large amount into a 16k buffer, smashing the stack.

Avoid populating pending_aio->offset if the result is failure.
Also, it appears that if the status code is EAGAIN, the I/O is
actually still in the system, and comes back later.

Signed-off-by: Evan Green <evangreen86@gmail.com>
2019-01-24 10:29:16 -08:00
2018-01-23 17:08:43 -08:00
2019-01-24 10:29:16 -08:00
2018-09-25 14:01:54 -07:00
2018-07-12 21:56:44 -07:00
2017-02-16 02:21:16 -08:00
2019-01-19 12:29:42 -08:00

DIAG

DIAG implements routing of diagnostics related messages between host and various subsystems.

USB Gadget

Ensure that your kernel is built with CONFIG_CONFIGFS_FS and CONFIG_USB_CONFIGFS_F_FS and that configfs is mounted in /sys/kernel/config.

G1="/sys/kernel/config/usb_gadget/g1"

mkdir $G1
mkdir $G1/strings/0x409
mkdir $G1/functions/ffs.diag
mkdir $G1/configs/c.1
mkdir $G1/configs/c.1/strings/0x409

echo 0xVID > $G1/idVendor
echo 0xPID > $G1/idProduct
echo SERIAL > $G1/strings/0x409/serialnumber
echo MANUFACTURER > $G1/strings/0x409/manufacturer
echo PRODUCT > $G1/strings/0x409/product
echo "diag_dun" > $G1/configs/c.1/strings/0x409/configuration
ln -s $G1/functions/ffs.diag $G1/configs/c.1

mkdir /dev/ffs-diag
mount -t functionfs diag /dev/ffs-diag

diag-router &

sleep 1

echo 6a00000.dwc3 > $G1/UDC
Description
No description provided
Readme BSD-3-Clause 268 KiB
Languages
C 99.3%
Makefile 0.7%