linux/drivers/staging/ozwpan
Rupesh Gujare b2271b5bdf staging: ozwpan: Fix farewell report.
This patch fix following issues reported by Dan:-

1) There is no check limiting the size to 32 and it could be up to
   253 bytes.
2) Use defines instead of magic numbers.
3) The oz_farewell struct is supposed to be a variable length struct
   but the variable part is put in the middle.  It doesn't make any
   sense to put the length of the variable size array after then end
   of the array because we can never find it again!  Put the
   variable size array at the end.  Make it a zero length array.
   u8 len;
   u8 report[0];
4) In oz_add_farewell() we do this:

	f = kmalloc(sizeof(struct oz_farewell) + len - 1, GFP_ATOMIC);

    The "- 1" refers to sizeof(f->report) but because it was a magic
    number then it was missed when the sizeof(f->report) changed.
5) In [patch 6/6] we set the ->len member.  But because it is at the
   end of a variable length array with no limit check the remote
   attacker can just rewrite it using the memcpy() on the next line.

Reported-by: Dan Carpenter <dan.carpenter@oracle.com>
Signed-off-by: Rupesh Gujare <rupesh.gujare@atmel.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
2013-08-12 14:02:58 -07:00
..
Kconfig staging: ozwpan depends on NET 2012-03-14 12:14:26 -07:00
Makefile staging: ozwpan: Rename Kbuild to Makefile 2013-07-23 14:34:53 -07:00
ozappif.h staging: ozwpan: remove event tracing code. 2013-06-17 14:48:12 -07:00
ozcdev.c staging: ozwpan: Fix coding style. 2013-07-25 13:40:53 -07:00
ozcdev.h staging/ozwpan: Remove empty and unused function oz_cdev_heartbeat 2013-02-15 15:14:30 -08:00
ozdbg.h staging: ozwpan: Replace oz_trace with oz_dbg 2013-07-23 14:34:52 -07:00
ozeltbuf.c staging: ozwpan: Remove old debug macro. 2013-07-23 14:34:53 -07:00
ozeltbuf.h staging: ozwpan: Added device state support 2012-02-24 09:26:51 -08:00
ozhcd.c staging: ozwpan: Fix build warning. 2013-08-12 14:00:29 -07:00
ozhcd.h staging: ozwpan: Added USB HCD implementation 2012-02-24 09:26:51 -08:00
ozmain.c staging: ozwpan: Remove old debug macro. 2013-07-23 14:34:53 -07:00
ozpd.c staging: ozwpan: Drop oldest ISOC frame instead of dropping latest. 2013-08-02 11:56:56 +08:00
ozpd.h staging: ozwpan: Fix farewell report. 2013-08-12 14:02:58 -07:00
ozproto.c staging: ozwpan: Fix farewell report. 2013-08-12 14:02:58 -07:00
ozproto.h staging: ozwpan: Mark string as const 2013-08-02 11:56:55 +08:00
ozprotocol.h staging: ozwpan: isoc latency for audio burst 2012-08-13 19:17:17 -07:00
ozurbparanoia.c staging: ozwpan: High resolution timers 2013-07-31 17:48:21 -07:00
ozurbparanoia.h staging: ozwpan: Convert macro to function. 2013-07-23 14:34:53 -07:00
ozusbif.h staging/ozwpan: Mark read only parameters and structs as const 2013-02-15 15:14:30 -08:00
ozusbsvc1.c staging: ozwpan: Remove old debug macro. 2013-07-23 14:34:53 -07:00
ozusbsvc.c staging: ozwpan: High resolution timers 2013-07-31 17:48:21 -07:00
ozusbsvc.h staging: ozwpan: Added USB service to protocol 2012-02-24 09:26:51 -08:00
README staging,ozwpan: Fix typo in comments within staging/ozwpan 2012-04-25 10:59:16 -07:00
TODO staging:ozwpan: Change email address. 2013-01-25 11:23:07 -08:00

OZWPAN USB Host Controller Driver
---------------------------------
This driver is a USB HCD driver that does not have an associated a physical
device but instead uses Wi-Fi to communicate with the wireless peripheral.
The USB requests are converted into a layer 2 network protocol and transmitted
on the network using an ethertype (0x892e) regestered to Ozmo Device Inc.
This driver is compatible with existing wireless devices that use Ozmo Devices
technology.

To operate the driver must be bound to a suitable network interface. This can
be done when the module is loaded (specifying the name of the network interface
as a parameter - e.g. 'insmod ozwpan g_net_dev=go0') or can be bound after
loading using an ioctl call. See the ozappif.h file and the ioctls
OZ_IOCTL_ADD_BINDING and OZ_IOCTL_REMOVE_BINDING.

The devices connect to the host use Wi-Fi Direct so a network card that supports
Wi-Fi direct is required. A recent version (0.8.x or later) version of the
wpa_supplicant can be used to setup the network interface to create a persistent
autonomous group (for older pre-WFD peripherals) or put in a listen state to
allow group negotiation to occur for more recent devices that support WFD.

The protocol used over the network does not directly mimic the USB bus
transactions as this would be rather busy and inefficient. Instead the chapter 9
requests are converted into a request/response pair of messages. (See
ozprotocol.h for data structures used in the protocol).