diff options
| author | Alan Stern <stern@rowland.harvard.edu> | 2010-06-18 10:16:33 -0400 |
|---|---|---|
| committer | Greg Kroah-Hartman <gregkh@suse.de> | 2010-06-30 11:16:06 -0400 |
| commit | 64d65872f96e2a754caa12ef48949c314384bd9f (patch) | |
| tree | 1fbd174ef9b2df672a68f81c960599c39b238286 /drivers/usb | |
| parent | 3b49d2315c119b9ae8a9a33b07d4eb7d194c01a7 (diff) | |
USB: fix oops in usb_sg_init()
This patch (as1401) fixes a bug in usb_sg_init() that can cause an
invalid pointer dereference. An inner loop reuses some local variables
in an unsafe manner, so new variables are introduced.
Signed-off-by: Alan Stern <stern@rowland.harvard.edu>
Tested-by: Ajay Kumar Gupta <ajay.gupta@ti.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
Diffstat (limited to 'drivers/usb')
| -rw-r--r-- | drivers/usb/core/message.c | 7 |
1 files changed, 5 insertions, 2 deletions
diff --git a/drivers/usb/core/message.c b/drivers/usb/core/message.c index a73e08fdab36..fd4c36ea5e46 100644 --- a/drivers/usb/core/message.c +++ b/drivers/usb/core/message.c | |||
| @@ -416,8 +416,11 @@ int usb_sg_init(struct usb_sg_request *io, struct usb_device *dev, | |||
| 416 | /* A length of zero means transfer the whole sg list */ | 416 | /* A length of zero means transfer the whole sg list */ |
| 417 | len = length; | 417 | len = length; |
| 418 | if (len == 0) { | 418 | if (len == 0) { |
| 419 | for_each_sg(sg, sg, nents, i) | 419 | struct scatterlist *sg2; |
| 420 | len += sg->length; | 420 | int j; |
| 421 | |||
| 422 | for_each_sg(sg, sg2, nents, j) | ||
| 423 | len += sg2->length; | ||
| 421 | } | 424 | } |
| 422 | } else { | 425 | } else { |
| 423 | /* | 426 | /* |