usb: usbtest: avoid integer overflow in test_ctrl_queue()

Avoid overflowing context.count = param->sglen * param->iterations, where both `sglen' and `iterations' are from userspace. | test_ctrl_queue() | usbtest_ioctl() Keep -EOPNOTSUPP for error code. Signed-off-by: Xi Wang <xi.wang@gmail.com> Acked-by: Alan Stern <stern@rowland.harvard.edu> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
author: Xi Wang <xi.wang@gmail.com> 2012-04-09 15:48:55 -0400
committer: Greg Kroah-Hartman <gregkh@linuxfoundation.org> 2012-04-17 18:54:57 -0400
commit: e65cdfae71cecec0fcd43a3f9ac8b5e4ae52db08 (patch)
tree: 58a21396dcd320fd530fc1e49be4f87edb2582d0
parent: 8963c487a80b4688c9e68dcc504a90074aacc145 (diff)
1 files changed, 3 insertions, 2 deletions
diff --git a/drivers/usb/misc/usbtest.c b/drivers/usb/misc/usbtest.c
index 959145baf3cf..967254afb6e8 100644
--- a/drivers/usb/misc/usbtest.c
+++ b/drivers/usb/misc/usbtest.c
@@ -904,6 +904,9 @@ test_ctrl_queue(struct usbtest_dev *dev, struct usbtest_param *param)
        struct ctrl_ctx         context;
        int                     i;
+        if (param->sglen == 0 || param->iterations > UINT_MAX / param->sglen)
+                return -EOPNOTSUPP;
        spin_lock_init(&context.lock);
        context.dev = dev;
        init_completion(&context.complete);
@@ -1981,8 +1984,6 @@ usbtest_ioctl(struct usb_interface *intf, unsigned int code, void *buf)
        /* queued control messaging */
        case 10:
-                if (param->sglen == 0)
-                        break;
                retval = 0;
                dev_info(&intf->dev,
                                "TEST 10:  queue %d control calls, %d times\n",
author	Xi Wang <xi.wang@gmail.com>	2012-04-09 15:48:55 -0400
committer	Greg Kroah-Hartman <gregkh@linuxfoundation.org>	2012-04-17 18:54:57 -0400
commit	e65cdfae71cecec0fcd43a3f9ac8b5e4ae52db08 (patch)
tree	58a21396dcd320fd530fc1e49be4f87edb2582d0
parent	8963c487a80b4688c9e68dcc504a90074aacc145 (diff)