Searched hist:cb84f568 (Results 1 – 1 of 1) sorted by relevance
| /openbmc/linux/drivers/usb/misc/ |
| H A D | usbtest.c | cb84f568 Sat Sep 30 03:15:29 CDT 2017 Dan Carpenter <dan.carpenter@oracle.com> usb: misc: usbtest: Fix overflow in usbtest_do_ioctl()
There used to be a test against "if (param->sglen > MAX_SGLEN)" but it
was removed during a refactor. It leads to an integer overflow and a
stack overflow in test_queue() if we try to create a too large urbs[]
array on the stack.
There is a second integer overflow in test_queue() as well if
"param->iterations" is too high. I don't immediately see that it's
harmful but I've added a check to prevent it and silence the static
checker warning.
Fixes: 18fc4ebdc705 ("usb: misc: usbtest: Remove timeval usage")
Acked-by: Deepa Dinamani <deepa.kernel@gmail.com>
Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com>
Signed-off-by: Felipe Balbi <felipe.balbi@linux.intel.com>
cb84f568 Sat Sep 30 03:15:29 CDT 2017 Dan Carpenter <dan.carpenter@oracle.com> usb: misc: usbtest: Fix overflow in usbtest_do_ioctl()
There used to be a test against "if (param->sglen > MAX_SGLEN)" but it
was removed during a refactor. It leads to an integer overflow and a
stack overflow in test_queue() if we try to create a too large urbs[]
array on the stack.
There is a second integer overflow in test_queue() as well if
"param->iterations" is too high. I don't immediately see that it's
harmful but I've added a check to prevent it and silence the static
checker warning.
Fixes: 18fc4ebdc705 ("usb: misc: usbtest: Remove timeval usage")
Acked-by: Deepa Dinamani <deepa.kernel@gmail.com>
Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com>
Signed-off-by: Felipe Balbi <felipe.balbi@linux.intel.com>
|