summaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorXi Wang <xi.wang@gmail.com>2012-04-09 21:48:45 +0200
committerGreg Kroah-Hartman <gregkh@linuxfoundation.org>2012-04-18 00:54:57 +0200
commit8bde9a62ee74afa89f593c563e926d163b1f6ada (patch)
tree32b9daa28afaf5b93329ed4a8509602d2b5f6b2a
parentusb: usbtest: avoid integer overflow in test_ctrl_queue() (diff)
downloadlinux-8bde9a62ee74afa89f593c563e926d163b1f6ada.tar.xz
linux-8bde9a62ee74afa89f593c563e926d163b1f6ada.zip
usb: usbtest: avoid integer overflow in alloc_sglist()
A large `nents' from userspace could overflow the allocation size, leading to memory corruption. | alloc_sglist() | usbtest_ioctl() Use kmalloc_array() to avoid the overflow. Signed-off-by: Xi Wang <xi.wang@gmail.com> Acked-by: Alan Stern <stern@rowland.harvard.edu> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
-rw-r--r--drivers/usb/misc/usbtest.c2
1 files changed, 1 insertions, 1 deletions
diff --git a/drivers/usb/misc/usbtest.c b/drivers/usb/misc/usbtest.c
index 967254afb6e8..cac67dea2bac 100644
--- a/drivers/usb/misc/usbtest.c
+++ b/drivers/usb/misc/usbtest.c
@@ -423,7 +423,7 @@ alloc_sglist(int nents, int max, int vary)
unsigned i;
unsigned size = max;
- sg = kmalloc(nents * sizeof *sg, GFP_KERNEL);
+ sg = kmalloc_array(nents, sizeof *sg, GFP_KERNEL);
if (!sg)
return NULL;
sg_init_table(sg, nents);