[LEDE-DEV] Fix for uqmi crash when using qmi-via-mbim (--mbim / -m)

[Felix Fietkau]

On 2016-11-22 12:47, Mogens Lauridsen wrote:
> Hi,
> 
> I found a memory overwrite causing a crash when using uqmi and
> qmi-via-mbim such as:
> uqmi -m -d /dev/cdc-wdm0 --get-signal-info
> 
> The problem is missing space for mbim header, which is assumed in
> qmi_request_start():
> 
> if (qmi->is_mbim) {
>                  buf -= sizeof(struct mbim_command_message);
> 
> I have fixed it by added a new buffer "buf_" and set the original "buf"
> to point inside "buf_"
I have a better fix in mind. Please try this:

diff --git a/dev.c b/dev.c
index 9bf7ab2..9662a9a 100644
--- a/dev.c
+++ b/dev.c
@@ -38,11 +38,8 @@ static const uint8_t qmi_services[__QMI_SERVICE_LAST] = {
 #undef __qmi_service
 
 static struct {
-	struct mbim_command_message mbim;
-	union {
-		char buf[512];
-		struct qmi_msg msg;
-	} u;
+	char buf[512];
+	struct qmi_msg msg;
 } __packed msgbuf;
 
 #ifdef DEBUG_PACKET
@@ -191,9 +188,9 @@ int qmi_request_start(struct qmi_dev *qmi, struct qmi_request *req, struct qmi_m
 	list_add(&req->list, &qmi->req);
 
 	if (qmi->is_mbim) {
-		buf -= sizeof(struct mbim_command_message);
-		mbim_qmi_cmd((struct mbim_command_message *) buf, len, tid);
-		len += sizeof(struct mbim_command_message);
+		struct mbim_command_message mbim;
+		mbim_qmi_cmd(&mbim, len, tid);
+		ustream_write(&qmi->sf.stream, (void *) &mbim, sizeof(mbim), true);
 	}
 
 	dump_packet("Send packet", buf, len);
@@ -260,7 +257,7 @@ int qmi_service_connect(struct qmi_dev *qmi, QmiService svc, int client_id)
 	};
 	struct qmi_connect_request req;
 	int idx = qmi_get_service_idx(svc);
-	struct qmi_msg *msg = &msgbuf.u.msg;
+	struct qmi_msg *msg = &msgbuf.msg;
 
 	if (idx < 0)
 		return -1;
@@ -299,7 +296,7 @@ static void __qmi_service_disconnect(struct qmi_dev *qmi, int idx)
 		)
 	};
 	struct qmi_request req;
-	struct qmi_msg *msg = &msgbuf.u.msg;
+	struct qmi_msg *msg = &msgbuf.msg;
 
 	qmi->service_connected &= ~(1 << idx);
 	qmi->service_data[idx].client_id = -1;