Commit 8bde9a62 authored by Xi Wang's avatar Xi Wang Committed by Greg Kroah-Hartman

usb: usbtest: avoid integer overflow in alloc_sglist()

A large `nents' from userspace could overflow the allocation size,
leading to memory corruption.

| alloc_sglist()
| usbtest_ioctl()

Use kmalloc_array() to avoid the overflow.
Signed-off-by: default avatarXi Wang <xi.wang@gmail.com>
Acked-by: default avatarAlan Stern <stern@rowland.harvard.edu>
Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
parent e65cdfae
...@@ -423,7 +423,7 @@ alloc_sglist(int nents, int max, int vary) ...@@ -423,7 +423,7 @@ alloc_sglist(int nents, int max, int vary)
unsigned i; unsigned i;
unsigned size = max; unsigned size = max;
sg = kmalloc(nents * sizeof *sg, GFP_KERNEL); sg = kmalloc_array(nents, sizeof *sg, GFP_KERNEL);
if (!sg) if (!sg)
return NULL; return NULL;
sg_init_table(sg, nents); sg_init_table(sg, nents);
......
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment