diff options
| author |   Xi Wang <xi.wang@gmail.com> | 2012-04-09 15:48:45 -0400 |
|---|---|---|
| committer |   Greg Kroah-Hartman <gregkh@linuxfoundation.org> | 2012-04-17 15:54:57 -0700 |
| commit | 8bde9a62ee74afa89f593c563e926d163b1f6ada (patch) | |
| tree | 32b9daa28afaf5b93329ed4a8509602d2b5f6b2a /drivers/usb | |
| parent | usb: usbtest: avoid integer overflow in test_ctrl_queue() (diff) | |
| download | linux-dev-8bde9a62ee74afa89f593c563e926d163b1f6ada.tar.xz linux-dev-8bde9a62ee74afa89f593c563e926d163b1f6ada.zip | |
usb: usbtest: avoid integer overflow in alloc_sglist()
A large `nents' from userspace could overflow the allocation size,
leading to memory corruption.
| alloc_sglist()
| usbtest_ioctl()
Use kmalloc_array() to avoid the overflow.
Signed-off-by: Xi Wang <xi.wang@gmail.com>
Acked-by: Alan Stern <stern@rowland.harvard.edu>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Diffstat (limited to 'drivers/usb')
| -rw-r--r-- | drivers/usb/misc/usbtest.c | 2 |
1 files changed, 1 insertions, 1 deletions
diff --git a/drivers/usb/misc/usbtest.c b/drivers/usb/misc/usbtest.c index 967254afb6e8..cac67dea2bac 100644 --- a/drivers/usb/misc/usbtest.c +++ b/drivers/usb/misc/usbtest.c @@ -423,7 +423,7 @@ alloc_sglist(int nents, int max, int vary) unsigned i; unsigned size = max; - sg = kmalloc(nents * sizeof *sg, GFP_KERNEL); + sg = kmalloc_array(nents, sizeof *sg, GFP_KERNEL); if (!sg) return NULL; sg_init_table(sg, nents); |