Commit 8bde9a62 authored Apr 09, 2012 by Xi Wang Committed by Greg Kroah-Hartman Apr 17, 2012

usb: usbtest: avoid integer overflow in alloc_sglist()



A large `nents' from userspace could overflow the allocation size,
leading to memory corruption.

| alloc_sglist()
| usbtest_ioctl()

Use kmalloc_array() to avoid the overflow.

Signed-off-by: Xi Wang <xi.wang@gmail.com>
Acked-by: Alan Stern <stern@rowland.harvard.edu>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

parent e65cdfae

drivers/usb/misc/usbtest.c

+1 −1

Original line number	Diff line number	Diff line
		@@ -423,7 +423,7 @@ alloc_sglist(int nents, int max, int vary)
		unsigned i;
		unsigned size = max;

		sg = kmalloc(nents * sizeof *sg, GFP_KERNEL);
		sg = kmalloc_array(nents, sizeof *sg, GFP_KERNEL);
		if (!sg)
		return NULL;
		sg_init_table(sg, nents);

Admin message