usb: usbtest: avoid integer overflow in alloc_sglist()

A large `nents' from userspace could overflow the allocation size, leading to memory corruption. | alloc_sglist() | usbtest_ioctl() Use kmalloc_array() to avoid the overflow. Signed-off-by: N Xi Wang <xi.wang@gmail.com> Acked-by: N Alan Stern <stern@rowland.harvard.edu> Signed-off-by: N Greg Kroah-Hartman <gregkh@linuxfoundation.org>

usb: usbtest: avoid integer overflow in alloc_sglist()
A large `nents' from userspace could overflow the allocation size, leading to memory corruption. | alloc_sglist() | usbtest_ioctl() Use kmalloc_array() to avoid the overflow. Signed-off-by: N Xi Wang <xi.wang@gmail.com> Acked-by: N Alan Stern <stern@rowland.harvard.edu> Signed-off-by: N Greg Kroah-Hartman <gregkh@linuxfoundation.org>
8bde9a62 · Xi Wang · Greg Kroah-Hartman · e65cdfae · 8bde9a62
隐藏空白更改
内联并排

Showing with 1 addition and 1 deletion

drivers/usb/misc/usbtest.c drivers/usb/misc/usbtest.c +1 -1

未找到文件。
--- a/drivers/usb/misc/usbtest.c
+++ b/drivers/usb/misc/usbtest.c
@@ -423,7 +423,7 @@ alloc_sglist(int nents, int max, int vary)
 	unsigned		i;
 	unsigned		size = max;

-	sg = kmalloc(nents * sizeof *sg, GFP_KERNEL);
+	sg = kmalloc_array(nents, sizeof *sg, GFP_KERNEL);
 	if (!sg)
 		return NULL;
 	sg_init_table(sg, nents);