From 357e6f8860e964906b77fa2803c400069a9782b0 Mon Sep 17 00:00:00 2001
From: Michel Pollet <michel.pollet@bp.renesas.com>
Date: Thu, 10 May 2018 14:09:09 +0100
Subject: [PATCH] UPSTREAM: USB: rndis: Fix for handling garbled messages

A message can be forged to crash the stack; here we make sure we don't
completely break the system if this occurs

Change-Id: Id5ae7509c7d629c62ce5fe567c551a1e424e0bf3
Signed-off-by: Michel Pollet <michel.pollet@bp.renesas.com>
Signed-off-by: Felipe Balbi <felipe.balbi@linux.intel.com>
Signed-off-by: William Wu <william.wu@rock-chips.com>
(cherry picked from commit 1ca532e9916a277b0e87271e6b367a3774808035)
---
 drivers/usb/gadget/function/rndis.c | 3 +++
 1 file changed, 3 insertions(+)

diff --git a/drivers/usb/gadget/function/rndis.c b/drivers/usb/gadget/function/rndis.c
index 4dba794a6ad5..37777700d561 100644
--- a/drivers/usb/gadget/function/rndis.c
+++ b/drivers/usb/gadget/function/rndis.c
@@ -866,6 +866,9 @@ int rndis_msg_parser(struct rndis_params *params, u8 *buf)
 		 */
 		pr_warning("%s: unknown RNDIS message 0x%08X len %d\n",
 			__func__, MsgType, MsgLength);
+		/* Garbled message can be huge, so limit what we display */
+		if (MsgLength > 16)
+			MsgLength = 16;
 		print_hex_dump_bytes(__func__, DUMP_PREFIX_OFFSET,
 				     buf, MsgLength);
 		break;