usb: usbtest: avoid integer overflow in alloc_sglist()
authorXi Wang <xi.wang@gmail.com>
Mon, 9 Apr 2012 19:48:45 +0000 (15:48 -0400)
committerGreg Kroah-Hartman <gregkh@linuxfoundation.org>
Tue, 17 Apr 2012 22:54:57 +0000 (15:54 -0700)
A large `nents' from userspace could overflow the allocation size,
leading to memory corruption.

| alloc_sglist()
| usbtest_ioctl()

Use kmalloc_array() to avoid the overflow.

Signed-off-by: Xi Wang <xi.wang@gmail.com>
Acked-by: Alan Stern <stern@rowland.harvard.edu>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
drivers/usb/misc/usbtest.c

index 967254a..cac67de 100644 (file)
@@ -423,7 +423,7 @@ alloc_sglist(int nents, int max, int vary)
        unsigned                i;
        unsigned                size = max;
 
-       sg = kmalloc(nents * sizeof *sg, GFP_KERNEL);
+       sg = kmalloc_array(nents, sizeof *sg, GFP_KERNEL);
        if (!sg)
                return NULL;
        sg_init_table(sg, nents);