diff options
author | Xi Wang <xi.wang@gmail.com> | 2012-04-09 15:48:55 -0400 |
---|---|---|
committer | Greg Kroah-Hartman <gregkh@linuxfoundation.org> | 2012-04-17 15:54:57 -0700 |
commit | e65cdfae71cecec0fcd43a3f9ac8b5e4ae52db08 (patch) | |
tree | 58a21396dcd320fd530fc1e49be4f87edb2582d0 | |
parent | 8963c487a80b4688c9e68dcc504a90074aacc145 (diff) |
usb: usbtest: avoid integer overflow in test_ctrl_queue()
Avoid overflowing context.count = param->sglen * param->iterations,
where both `sglen' and `iterations' are from userspace.
| test_ctrl_queue()
| usbtest_ioctl()
Keep -EOPNOTSUPP for error code.
Signed-off-by: Xi Wang <xi.wang@gmail.com>
Acked-by: Alan Stern <stern@rowland.harvard.edu>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
-rw-r--r-- | drivers/usb/misc/usbtest.c | 5 |
1 files changed, 3 insertions, 2 deletions
diff --git a/drivers/usb/misc/usbtest.c b/drivers/usb/misc/usbtest.c index 959145baf3c..967254afb6e 100644 --- a/drivers/usb/misc/usbtest.c +++ b/drivers/usb/misc/usbtest.c @@ -904,6 +904,9 @@ test_ctrl_queue(struct usbtest_dev *dev, struct usbtest_param *param) struct ctrl_ctx context; int i; + if (param->sglen == 0 || param->iterations > UINT_MAX / param->sglen) + return -EOPNOTSUPP; + spin_lock_init(&context.lock); context.dev = dev; init_completion(&context.complete); @@ -1981,8 +1984,6 @@ usbtest_ioctl(struct usb_interface *intf, unsigned int code, void *buf) /* queued control messaging */ case 10: - if (param->sglen == 0) - break; retval = 0; dev_info(&intf->dev, "TEST 10: queue %d control calls, %d times\n", |