summaryrefslogtreecommitdiffstats
path: root/drivers
diff options
context:
space:
mode:
authorXi Wang <xi.wang@gmail.com>2012-04-09 21:48:55 +0200
committerGreg Kroah-Hartman <gregkh@linuxfoundation.org>2012-04-18 00:54:57 +0200
commite65cdfae71cecec0fcd43a3f9ac8b5e4ae52db08 (patch)
tree58a21396dcd320fd530fc1e49be4f87edb2582d0 /drivers
parentUSB: fix deadlock in bConfigurationValue attribute method (diff)
downloadlinux-e65cdfae71cecec0fcd43a3f9ac8b5e4ae52db08.tar.xz
linux-e65cdfae71cecec0fcd43a3f9ac8b5e4ae52db08.zip
usb: usbtest: avoid integer overflow in test_ctrl_queue()
Avoid overflowing context.count = param->sglen * param->iterations, where both `sglen' and `iterations' are from userspace. | test_ctrl_queue() | usbtest_ioctl() Keep -EOPNOTSUPP for error code. Signed-off-by: Xi Wang <xi.wang@gmail.com> Acked-by: Alan Stern <stern@rowland.harvard.edu> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Diffstat (limited to 'drivers')
-rw-r--r--drivers/usb/misc/usbtest.c5
1 files changed, 3 insertions, 2 deletions
diff --git a/drivers/usb/misc/usbtest.c b/drivers/usb/misc/usbtest.c
index 959145baf3cf..967254afb6e8 100644
--- a/drivers/usb/misc/usbtest.c
+++ b/drivers/usb/misc/usbtest.c
@@ -904,6 +904,9 @@ test_ctrl_queue(struct usbtest_dev *dev, struct usbtest_param *param)
struct ctrl_ctx context;
int i;
+ if (param->sglen == 0 || param->iterations > UINT_MAX / param->sglen)
+ return -EOPNOTSUPP;
+
spin_lock_init(&context.lock);
context.dev = dev;
init_completion(&context.complete);
@@ -1981,8 +1984,6 @@ usbtest_ioctl(struct usb_interface *intf, unsigned int code, void *buf)
/* queued control messaging */
case 10:
- if (param->sglen == 0)
- break;
retval = 0;
dev_info(&intf->dev,
"TEST 10: queue %d control calls, %d times\n",