From cd567a9d570dc4041e8aaf65f2546761d7089f7f Mon Sep 17 00:00:00 2001
From: Sriharsha Allenki <sallenki@codeaurora.org>
Date: Thu, 27 Jul 2017 11:07:00 +0530
Subject: [PATCH] usb: f_qc_rndis: Fix rndis message parsing of erroneous
 requests

In the completion handler of rndis command requests we
are parsing the request buffers without checking the
status of the request. This might cause parsing of the
erroneous requests. Fix this by checking the status
of the request before parsing the request buffer.

Change-Id: I15ffd0bef4b42adf2300085dc3720d599e647cb5
Signed-off-by: Sriharsha Allenki <sallenki@codeaurora.org>
---
 drivers/usb/gadget/function/f_qc_rndis.c | 6 ++++++
 1 file changed, 6 insertions(+)

diff --git a/drivers/usb/gadget/function/f_qc_rndis.c b/drivers/usb/gadget/function/f_qc_rndis.c
index 434af820e827..a28bcd084dc3 100644
--- a/drivers/usb/gadget/function/f_qc_rndis.c
+++ b/drivers/usb/gadget/function/f_qc_rndis.c
@@ -545,6 +545,12 @@ static void rndis_qc_command_complete(struct usb_ep *ep,
 	rndis_init_msg_type		*buf;
 	u32		ul_max_xfer_size, dl_max_xfer_size;
 
+	if (req->status != 0) {
+		pr_err("%s: RNDIS command completion error %d\n",
+				__func__, req->status);
+		return;
+	}
+
 	spin_lock(&rndis_lock);
 	rndis = _rndis_qc;
 	if (!rndis || !rndis->notify || !rndis->notify->driver_data) {