summaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorXi Wang <xi.wang@gmail.com>2012-04-09 15:48:55 -0400
committerGreg Kroah-Hartman <gregkh@linuxfoundation.org>2012-04-17 15:54:57 -0700
commite65cdfae71cecec0fcd43a3f9ac8b5e4ae52db08 (patch)
tree58a21396dcd320fd530fc1e49be4f87edb2582d0
parent8963c487a80b4688c9e68dcc504a90074aacc145 (diff)
usb: usbtest: avoid integer overflow in test_ctrl_queue()
Avoid overflowing context.count = param->sglen * param->iterations, where both `sglen' and `iterations' are from userspace. | test_ctrl_queue() | usbtest_ioctl() Keep -EOPNOTSUPP for error code. Signed-off-by: Xi Wang <xi.wang@gmail.com> Acked-by: Alan Stern <stern@rowland.harvard.edu> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
-rw-r--r--drivers/usb/misc/usbtest.c5
1 files changed, 3 insertions, 2 deletions
diff --git a/drivers/usb/misc/usbtest.c b/drivers/usb/misc/usbtest.c
index 959145baf3c..967254afb6e 100644
--- a/drivers/usb/misc/usbtest.c
+++ b/drivers/usb/misc/usbtest.c
@@ -904,6 +904,9 @@ test_ctrl_queue(struct usbtest_dev *dev, struct usbtest_param *param)
struct ctrl_ctx context;
int i;
+ if (param->sglen == 0 || param->iterations > UINT_MAX / param->sglen)
+ return -EOPNOTSUPP;
+
spin_lock_init(&context.lock);
context.dev = dev;
init_completion(&context.complete);
@@ -1981,8 +1984,6 @@ usbtest_ioctl(struct usb_interface *intf, unsigned int code, void *buf)
/* queued control messaging */
case 10:
- if (param->sglen == 0)
- break;
retval = 0;
dev_info(&intf->dev,
"TEST 10: queue %d control calls, %d times\n",