usb: usbtest: avoid integer overflow in alloc_sglist()

A large `nents' from userspace could overflow the allocation size, leading to memory corruption. | alloc_sglist() | usbtest_ioctl() Use kmalloc_array() to avoid the overflow. Signed-off-by: Xi Wang <xi.wang@gmail.com> Acked-by: Alan Stern <stern@rowland.harvard.edu> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

usb: usbtest: avoid integer overflow in alloc_sglist()
A large `nents' from userspace could overflow the allocation size, leading to memory corruption. | alloc_sglist() | usbtest_ioctl() Use kmalloc_array() to avoid the overflow. Signed-off-by: Xi Wang <xi.wang@gmail.com> Acked-by: Alan Stern <stern@rowland.harvard.edu> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
8bde9a62 · Xi Wang · Greg Kroah-Hartman · e65cdfae · 8bde9a62
Commit 8bde9a62 authored Apr 09, 2012 by Xi Wang Committed by Greg Kroah-Hartman Apr 17, 2012
Hide whitespace changes
Inline Side-by-side

Showing with 1 addition and 1 deletion

drivers/usb/misc/usbtest.c drivers/usb/misc/usbtest.c +1 -1

No files found.
--- a/drivers/usb/misc/usbtest.c
+++ b/drivers/usb/misc/usbtest.c
@@ -423,7 +423,7 @@ alloc_sglist(int nents, int max, int vary)
 	unsigned		i;
 	unsigned		size = max;

-	sg = kmalloc(nents * sizeof *sg, GFP_KERNEL);
+	sg = kmalloc_array(nents, sizeof *sg, GFP_KERNEL);
 	if (!sg)
 		return NULL;
 	sg_init_table(sg, nents);