usb: usbtest: avoid integer overflow in alloc_sglist()

A large `nents' from userspace could overflow the allocation size,
leading to memory corruption.

| alloc_sglist()
| usbtest_ioctl()

Use kmalloc_array() to avoid the overflow.

Signed-off-by: Xi Wang <xi.wang@gmail.com>
Acked-by: Alan Stern <stern@rowland.harvard.edu>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
This commit is contained in:
Xi Wang 2012-04-09 15:48:45 -04:00 committed by Greg Kroah-Hartman
parent e65cdfae71
commit 8bde9a62ee
1 changed files with 1 additions and 1 deletions

View File

@ -423,7 +423,7 @@ alloc_sglist(int nents, int max, int vary)
unsigned i; unsigned i;
unsigned size = max; unsigned size = max;
sg = kmalloc(nents * sizeof *sg, GFP_KERNEL); sg = kmalloc_array(nents, sizeof *sg, GFP_KERNEL);
if (!sg) if (!sg)
return NULL; return NULL;
sg_init_table(sg, nents); sg_init_table(sg, nents);